Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Schedule a demo
Get started - it's free!
Log in
© 2025

Tailscale FedRAMP and FIPS-140 considerations

Tailscale is a modern virtual private network (VPN) built on WireGuard®. While Tailscale is not yet FedRAMP authorized, many FedRAMP-certified Cloud Service Providers (CSPs) can use Tailscale today within properly scoped boundaries. The following information provides guidance when you evaluate Tailscale's fit within your FedRAMP Moderate environment.

Tailscale security posture

Tailscale is SOC 2 Type II certified. You can download the SOC 2 report from the Tailscale Legal and Trust page. Tailscale uses WireGuard for Transport Layer security (TLS) and provides end-to-end encrypted mesh networking.

Tailscale's approach to secure networking embodies the principles of least privilege and zero trust security. Tailscale provides strong cryptographic protection, hardened defaults, and detailed auditing.

FedRAMP Considerations

Tailscale is useful in FedRAMP-authorized environments even without its own FedRAMP Authority to Operate (ATO) certification if integrated appropriately. Take the following into account:

  • Boundary definition: Use National Institute of Standards and Technology (NIST) SP 800-18 and Federal Information Processing Standards (FIPS) 199 to define if Tailscale is inside or outside your system boundary.
  • System categorization: Determine whether Tailscale is a major system or supporting service.
  • Layered cryptography: If you already use FIPS-validated TLS or Internet Protocol Security (IPsec), Tailscale can operate as an additional encrypted layer.

Tailscale provides technical documentation to assist CSPs in mapping these boundaries for compliance.

FIPS 140-2/3 compliance context

FIPS 140-3 and its predecessor FIPS 140-2 define security requirements for cryptographic modules. Tailscale does not currently use a FIPS-validated cryptographic module. However, this is not always required:

  • If Tailscale traffic is wrapped in FIPS-validated encryption (such as TLS termination or IPSec), it may be considered compliant.
  • FedRAMP guidance provides for un-validated modules in layered encryption scenarios when inner layers meet SC-8(1)/SC-28(1).

Tailscale is not providing legal advice. We suggest you consult with your own experts regarding whether your use of Tailscale is considered compliant.

Last updated Nov 21, 2025