Government Standards

Updated -

Red Hat is committed to making your certification and accreditation process as easy as possible. The resources below should help you comply with a variety of government requirements.

COMMON CRITERIA

Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Learn more from the Common Criteria FAQ on the Red Hat Customer Portal.

PRODUCT RELEASE LEVEL PROTECTION PROFILE PLATFORM STATUS
JBoss Enterprise Application Platform 4.3 EAL2 -- Security Target
Validation Report
Configuration Guide
Evaluated
JBoss Enterprise Application Platform 5.x EAL4+ -- Security Target
Validation Report
Configuration Guide
Evaluated
JBoss Enterprise Application Platform 6.2 EAL4+ -- Security Target
Validation Report
Evaluated
MetaMatrix Data Services Platform 5.5.3 EAL2+ -- Certificate
Security Target
Validation Report
Evaluated
Red Hat Certificate System 6.x EAL4+ CIMC Certificate
Security Target
Validation Report
Evaluated
Red Hat Certificate System 8.1 EAL4+ CIMC Certificate
Security Target
Validation Report
Configuration Guide
Evaluated
Red Hat Enterprise Linux 4.x EAL3+ CAPP HP: Report, Target
SGI: Report, Target
Unisys: Report, Target
Evaluated
Red Hat Enterprise Linux 4.x EAL4+ CAPP IBM: Report, Target
Evaluated
Red Hat Enterprise Linux 5.x EAL4+ CAPP/RBACPP/LSPP Dell: Report, Target
HP: Report, Target
IBM: Report, Target
SGI: Report, Target
Evaluated
Red Hat Enterprise Linux 5.x EAL4+ with KVM Virtualization IBM: Report, Target
Evaluated
Red Hat Enterprise Linux 6.x EAL4+ OSPP:
Labeled Security
Advanced Audit
Advanced Management
Virtualization Extended Modules
SGI: Report, Target Evaluated
Red Hat Enterprise Linux 6.x EAL4+ OSPP:
Labeled Security
Advanced Audit
Advanced Management
IBM: Report, Target Evaluated
Red Hat Enterprise Linux 6.x EAL4+ OSPP: 32bit
Advanced Audit
Northrop Grumman Payload Control Element (PCE) Server 309-C20213: Report, Target Evaluated
Red Hat Enterprise Linux 7.x EAL4+ OSPP v2.0 Dell, Page 23-24
HP, Page 23-24
IBM, Page 23-24
Certificate Report, Security Target
Evaluated
Red Hat Enterprise Linux 7.x EAL4+ OSPP v3.9 Dell
HP
IBM
In Evaluation

FIPS 140-2

Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.

PRODUCT COMPONENT VERSION CERTIFICATE CERTIFIED STATUS
Red Hat Enterprise Linux 4 NSS 3.11.4 #815 Level 1
Red Hat Enterprise Linux 4 NSS 3.11.4 #814 Level 2
Red Hat Enterprise Linux 4 NSS (Freebl) 3.12.4 #1293 Level 1
Red Hat Enterprise Linux 4 NSS 3.12.4 #1280 Level 2
- - - - -
Red Hat Enterprise Linux 5 Kernel Cryptographic API 1.0 #1387 Level 1
Red Hat Enterprise Linux 5 libgcrypt 1.0 #1305 Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #815 Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #814 Level 2
Red Hat Enterprise Linux 5 NSS (Freebl) 3.12.4 #1293 Level 1
Red Hat Enterprise Linux 5 NSS 3.12.4 #1280 Level 2
Red Hat Enterprise Linux 5 OpenSSH Client 1.0 #1385 Level 1
Red Hat Enterprise Linux 5 OpenSSH Server 1.0 #1384 Level 1
Red Hat Enterprise Linux 5 OpenSSL 1.0 #1320 Level 1
Red Hat Enterprise Linux 5 Openswan 1.0 #1386 Level 1
- - - - -
Red Hat Enterprise Linux 6 Kernel Cryptographic API 2.0 #1901 Level 1
Red Hat Enterprise Linux 6 Disk Volume Cryptographic API 2.0 #1933 Level 1
Red Hat Enterprise Linux 6 libgcrypt 2.0 #1757 Level 1
Red Hat Enterprise Linux 6 OpenSSH Client 2.0 #1791 Level 1
Red Hat Enterprise Linux 6 OpenSSH Server 2.0 #1792 Level 1
Red Hat Enterprise Linux 6 OpenSSL 2.0 #1758 Level 1
Red Hat Enterprise Linux 6 Openswan 2.0 #1859 Level 1
Red Hat Enterprise Linux 6 NSS (Freebl) 3.12.9.1 #1710 Level 1
Red Hat Enterprise Linux 6 NSS 3.12.9.1 #1837 Level 1
Red Hat Enterprise Linux 6 OpenSSL 3.0 #2441 Level 1
Red Hat Enterprise Linux 6 OpenSSH Client 3.0 #2447 Level 1
Red Hat Enterprise Linux 6 OpenSSH Server 3.0 #2446 Level 1
Red Hat Enterprise Linux 6 NSS 3.14.3-22 #2564 Level 2
Red Hat Enterprise Linux 6 Kernel Cryptographic API 3.0 #2582 Level 1
- - - - -
Red Hat Enterprise Linux 7 OpenSSL 4.0 #2441 Level 1
Red Hat Enterprise Linux 7 OpenSSH Client 4.0 #2633 Level 1
Red Hat Enterprise Linux 7 OpenSSH Server 4.0 #2630 Level 1
Red Hat Enterprise Linux 7 libgcrypt 4.0 #2657 Level 1
Red Hat Enterprise Linux 7 NSS 4.0 #2711 Level 1
Red Hat Enterprise Linux 7 Libreswan 4.0 #2721 Level 1
Red Hat Enterprise Linux 7 Kernel Cryptographic API 4.0 #2742 Level 1
Red Hat Enterprise Linux 7 Kernel Cryptographic API with CPACF 4.0 #2798 Level 1
Red Hat Enterprise Linux 7 GnuTLS 4.0 #2780 Level 1

Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements. You can now apply STIG requirements with ease using the OpenSCAP tools and the scap-security-guide package for security policies. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST.

PRODUCT GUIDANCE STATUS
JBoss Enterprise Application Platform 5 NIST NVD checklist Draft
JBoss Enterprise Application Platform 6 DISA Released
Red Hat Enterprise Linux 5 DISA Released
Red Hat Enterprise Linux 6 DISA Released
Red Hat Enterprise Linux 7 DISA Released

Criminal Justice Information Services (CJIS)

The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

PRODUCT GUIDANCE STATUS
Red Hat Enterprise Linux 7 NIST NVD checklist Final

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency and program-specific guidance.

PRODUCT CONTENT STATUS
Red Hat Enterprise Linux 5 NIST Draft
Red Hat Enterprise Linux 6 scap-security-guide In development
Red Hat Enterprise Linux 7 DRAFT Public Draft with NIST

USGV6 (DOD IPv6)

Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements.
Press Release

COMPONENT RHEL5.3+ RHEL6.0+
Core Protocols: Host Certified Certified
Core Protocols: Router - Certified
IPsec: End-Node Certified Certified
SNMP: Agent-Host - Certified
DHCPv6: Server - Certified

USGv6 TESTED PRODUCT LIST

Listing of USGv6 tested devices for Red Hat, Inc.

COMPONENT RHEL5.6+ RHEL6.0+
Basic (Conf: v1.2, IOP: v1.1) Certified Certified
SLAAC (Conf: v1.1, IOP: v1.1) Certified Certified
Addr Arch (Conf: v1.2, IOP: v1.1) Certified Certified
ESP (Conf: v1.0, IOP: v1.1) - Certified
IKEv2 (Conf: v1.1, IOP: v2.0) - Certified
IPSECv3 (Conf: v1.2, IOP: v1.2) - Certified

SECTION 508

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.

PRODUCT VERSION VPAT
Red Hat Enterprise Linux 4 Download
Red Hat Enterprise Linux 5 Download
Red Hat Enterprise Linux 6 Download
Red Hat Enterprise Linux 7 Download
Red Hat Satellite 5 Download
Red Hat Satellite 6 Download
Red Hat OpenShift 3 Download
Red Hat CloudForms 4.5 Download
Red Hat Gluster Storage 3 Download
Red Hat Ceph Storage 2.2 Download
Red Hat Storage Console 3 Download
JBoss Enterprise Application Platform 6 Download

US ARMY CERTIFICATE OF NETWORTHINESS

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

  • All applications (including COTS)
  • All Government Off-the-Shelf (GOTS) software
  • All web services
  • Collaboration tools and services
  • Tactical systems
  • New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).

FISMA

All federal agencies must comply with the Federal Information Security Management Act and Red Hat works to make that process as simple as possible. FISMA is not a product certification, rather an evaluation of the entire information system. Red Hat publishes configuration guidance for the NIST 800-53 controls that compromise FISMA Moderate. This is reflected in our USGCB baseline. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers and is not a product certification. Just like FISMA, USGCB content is a great place to start for compliance questions. You may also be interested in talking with your Red Hat account manager about our Certified Cloud Provider Program. Red Hat components have been used in FedRAMP certified offerings, such as:

CSRA's ARC-P Cloud:
Offers FedRAMP High certified IaaS and PaaS, based off Red Hat OpenStack Platform and Red Hat OpenShift v3. Details and certification packages can be found on the GSA FedRAMP Marketplace.

BlackMesh's Secure Cloud:
Offers FedRAMP Moderate certified PaaS, based off Red Hat OpenShift v3. Details and certification packages can be found on their GSA FedRAMP Marketplace.

ICD 503:
Red Hat has collaborated with the National Security Agency to release RHEL configuration guidance against ICD 503 and CNSSI 1253. This collaboration occurs in the OpenSCAP/SCAP Security Guide project, with profiles shipping natively in RHEL via the "CS2" baseline

NISPOM CHAPTER 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual.

Attachments

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.