Government Standards
Table of Contents
COMMON CRITERIA
Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Learn more from the Common Criteria FAQ on the Red Hat Customer Portal.
| PRODUCT | RELEASE | LEVEL | PROTECTION PROFILE | PLATFORM | STATUS |
|---|---|---|---|---|---|
| JBoss Enterprise Application Platform | 4.3 | EAL2 | -- | Security Target Validation Report Configuration Guide |
Evaluated |
| JBoss Enterprise Application Platform | 5.x | EAL4+ | -- | Security Target Validation Report Configuration Guide |
Evaluated |
| JBoss Enterprise Application Platform | 6.2 | EAL4+ | -- | Security Target Validation Report |
Evaluated |
| JBoss Enterprise Application Platform | 7.1 | EAL4+ | -- | -- | In Evaluation |
| MetaMatrix Data Services Platform | 5.5.3 | EAL2+ | -- | Certificate Security Target Validation Report |
Evaluated |
| Red Hat Certificate System | 6.x | EAL4+ | CIMC | Certificate Security Target Validation Report |
Evaluated |
| Red Hat Certificate System | 8.1 | EAL4+ | CIMC | Certificate Security Target Validation Report Configuration Guide |
Evaluated |
| Red Hat Enterprise Linux | 4.x | EAL3+ | CAPP | HP: Report, Target SGI: Report, Target Unisys: Report, Target |
Evaluated |
| Red Hat Enterprise Linux | 4.x | EAL4+ | CAPP | IBM: Report, Target |
Evaluated |
| Red Hat Enterprise Linux | 5.x | EAL4+ | CAPP/RBACPP/LSPP | Dell: Report, Target HP: Report, Target IBM: Report, Target SGI: Report, Target |
Evaluated |
| Red Hat Enterprise Linux | 5.x | EAL4+ | with KVM Virtualization | IBM: Report, Target |
Evaluated |
| Red Hat Enterprise Linux | 6.x | EAL4+ | OSPP: Labeled Security Advanced Audit Advanced Management Virtualization Extended Modules |
SGI: Report, Target | Evaluated |
| Red Hat Enterprise Linux | 6.x | EAL4+ | OSPP: Labeled Security Advanced Audit Advanced Management |
IBM: Report, Target | Evaluated |
| Red Hat Enterprise Linux | 6.x | EAL4+ | OSPP: 32bit Advanced Audit |
Northrop Grumman Payload Control Element (PCE) Server 309-C20213: Report, Target | Evaluated |
| Red Hat Enterprise Linux | 7.x | EAL4+ | OSPP v2.0 | Dell, Page 23-24 HP, Page 23-24 IBM, Page 23-24 Certificate Report, Security Target |
Evaluated |
| Red Hat Enterprise Linux | 7.x | EAL4+ | OSPP v3.9 | Dell HP IBM Certificate Report, Security Target |
Evaluated |
FIPS 140-2
Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.
| PRODUCT | COMPONENT | VERSION | CERTIFICATE | CERTIFIED STATUS |
|---|---|---|---|---|
| Red Hat Enterprise Linux 4 | NSS | 3.11.4 | #815 | Level 1 |
| Red Hat Enterprise Linux 4 | NSS | 3.11.4 | #814 | Level 2 |
| Red Hat Enterprise Linux 4 | NSS (Freebl) | 3.12.4 | #1293 | Level 1 |
| Red Hat Enterprise Linux 4 | NSS | 3.12.4 | #1280 | Level 2 |
| - | - | - | - | - |
| Red Hat Enterprise Linux 5 | Kernel Cryptographic API | 1.0 | #1387 | Level 1 |
| Red Hat Enterprise Linux 5 | libgcrypt | 1.0 | #1305 | Level 1 |
| Red Hat Enterprise Linux 5 | NSS | 3.11.4 | #815 | Level 1 |
| Red Hat Enterprise Linux 5 | NSS | 3.11.4 | #814 | Level 2 |
| Red Hat Enterprise Linux 5 | NSS (Freebl) | 3.12.4 | #1293 | Level 1 |
| Red Hat Enterprise Linux 5 | NSS | 3.12.4 | #1280 | Level 2 |
| Red Hat Enterprise Linux 5 | OpenSSH Client | 1.0 | #1385 | Level 1 |
| Red Hat Enterprise Linux 5 | OpenSSH Server | 1.0 | #1384 | Level 1 |
| Red Hat Enterprise Linux 5 | OpenSSL | 1.0 | #1320 | Level 1 |
| Red Hat Enterprise Linux 5 | Openswan | 1.0 | #1386 | Level 1 |
| - | - | - | - | - |
| Red Hat Enterprise Linux 6 | Kernel Cryptographic API | 2.0 | #1901 | Level 1 |
| Red Hat Enterprise Linux 6 | Disk Volume Cryptographic API | 2.0 | #1933 | Level 1 |
| Red Hat Enterprise Linux 6 | libgcrypt | 2.0 | #1757 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSH Client | 2.0 | #1791 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSH Server | 2.0 | #1792 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSL | 2.0 | #1758 | Level 1 |
| Red Hat Enterprise Linux 6 | Openswan | 2.0 | #1859 | Level 1 |
| Red Hat Enterprise Linux 6 | NSS (Freebl) | 3.12.9.1 | #1710 | Level 1 |
| Red Hat Enterprise Linux 6 | NSS | 3.12.9.1 | #1837 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSL | 3.0 | #2441 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSH Client | 3.0 | #2447 | Level 1 |
| Red Hat Enterprise Linux 6 | OpenSSH Server | 3.0 | #2446 | Level 1 |
| Red Hat Enterprise Linux 6 | NSS | 3.14.3-22 | #2564 | Level 2 |
| Red Hat Enterprise Linux 6 | Kernel Cryptographic API | 3.0 | #2582 | Level 1 |
| - | - | - | - | - |
| Red Hat Enterprise Linux 7 | OpenSSL | 4.0 | #2441 | Level 1 |
| Red Hat Enterprise Linux 7 | OpenSSH Client | 4.0 | #2633 | Level 1 |
| Red Hat Enterprise Linux 7 | OpenSSH Server | 4.0 | #2630 | Level 1 |
| Red Hat Enterprise Linux 7 | libgcrypt | 4.0 | #2657 | Level 1 |
| Red Hat Enterprise Linux 7 | Libreswan | 4.0 | #2721 | Level 1 |
| Red Hat Enterprise Linux 7 | Kernel Cryptographic API | 4.0 | #2742 | Level 1 |
| Red Hat Enterprise Linux 7 | Kernel Cryptographic API with CPACF | 4.0 | #2798 | Level 1 |
| Red Hat Enterprise Linux 7 | GnuTLS | 4.0 | #2780 | Level 1 |
| Red Hat Enterprise Linux 7 | libgcrypt | 4.0 and 5.0 | #2657 | Level 1 |
| Red Hat Enterprise Linux 7 | GnuTLS | 5.0 | #3012 | Level 1 |
| Red Hat Enterprise Linux 7 | OpenSSL | 5.0 and 6.0 | #3016 | Level 1 |
| Red Hat Enterprise Linux 7 | OpenSSH Server | 5.0 and 6.0 | #3063 | Level 1 |
| Red Hat Enterprise Linux 7 | OpenSSH Client | 5.0 and 6.0 | #3067 | Level 1 |
| Red Hat Enterprise Linux 7 | NSS | 5.0 | #3070 | Level 1 |
| Red Hat Enterprise Linux 7 | Libreswan | 5.0 | #3083 | Level 1 |
| Red Hat Enterprise Linux 7 | Kernel Cryptographic API | 5.0 | #3145 | Level 1 |
| Red Hat Enterprise Linux 7 | NSS | 6.0 | #3270 | Level 1 |
Secure Technical Implementation Guidelines (STIG)
Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements. You can now apply STIG requirements with ease using the OpenSCAP tools and the scap-security-guide package for security policies. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST.
| PRODUCT | GUIDANCE | STATUS |
|---|---|---|
| JBoss Enterprise Application Platform 5 | NIST NVD checklist | Draft |
| JBoss Enterprise Application Platform 6 | DISA | Released |
| Red Hat Enterprise Linux 5 | DISA | Released |
| Red Hat Enterprise Linux 6 | DISA | Released |
| Red Hat Enterprise Linux 7 | DISA | Released |
Criminal Justice Information Services (CJIS)
The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
| PRODUCT | GUIDANCE | STATUS |
|---|---|---|
| Red Hat Enterprise Linux 7 | NIST NVD checklist | Final |
US Government Configuration Baseline (USGCB)
The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency and program-specific guidance.
| PRODUCT | CONTENT | STATUS |
|---|---|---|
| Red Hat Enterprise Linux 5 | NIST | Draft |
| Red Hat Enterprise Linux 6 | scap-security-guide | In development |
| Red Hat Enterprise Linux 7 | DRAFT | Public Draft with NIST |
USGV6 (DOD IPv6)
Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements.
Press Release
| COMPONENT | RHEL5.3+ | RHEL6.0+ |
|---|---|---|
| Core Protocols: Host | Certified | Certified |
| Core Protocols: Router | - | Certified |
| IPsec: End-Node | Certified | Certified |
| SNMP: Agent-Host | - | Certified |
| DHCPv6: Server | - | Certified |
USGv6 TESTED PRODUCT LIST
Listing of USGv6 tested devices for Red Hat, Inc.
| COMPONENT | RHEL5.6+ | RHEL6.0+ |
|---|---|---|
| Basic (Conf: v1.2, IOP: v1.1) | Certified | Certified |
| SLAAC (Conf: v1.1, IOP: v1.1) | Certified | Certified |
| Addr Arch (Conf: v1.2, IOP: v1.1) | Certified | Certified |
| ESP (Conf: v1.0, IOP: v1.1) | - | Certified |
| IKEv2 (Conf: v1.1, IOP: v2.0) | - | Certified |
| IPSECv3 (Conf: v1.2, IOP: v1.2) | - | Certified |
SECTION 508
Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.
| PRODUCT | VERSION | VPAT |
|---|---|---|
| Ansible Core | 2 | Download |
| Ansible Tower | 3 | Download |
| Red Hat Enterprise Linux | 4 | Download |
| Red Hat Enterprise Linux | 5 | Download |
| Red Hat Enterprise Linux | 6 | Download |
| Red Hat Enterprise Linux | 7 | Download |
| Red Hat Satellite | 5 | Download |
| Red Hat Satellite | 6 | Download |
| Red Hat OpenStack | 10 | Download |
| Red Hat OpenStack | 11 | Download |
| Red Hat OpenStack | 12 | Download |
| Red Hat OpenShift | 3 | Download |
| Red Hat CloudForms | 4.6 | Download |
| Red Hat Gluster Storage | 3 | Download |
| Red Hat Ceph Storage | 2 | Download |
| Red Hat Storage Console | 3 | Download |
| JBoss Enterprise Application Platform | 6 | Download |
| JBoss Enterprise Application Platform | 7.1 | Download |
US ARMY CERTIFICATE OF NETWORTHINESS
Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).
The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.
NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.
Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:
- All applications (including COTS)
- All Government Off-the-Shelf (GOTS) software
- All web services
- Collaboration tools and services
- Tactical systems
- New, legacy, and fielded systems
A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).
FISMA
All federal agencies must comply with the Federal Information Security Management Act and Red Hat works to make that process as simple as possible. FISMA is not a product certification, rather an evaluation of the entire information system. Red Hat publishes configuration guidance for the NIST 800-53 controls that compromise FISMA Moderate. This is reflected in our USGCB baseline. Reviewing the USGCB content is a great place to start.
FedRAMP
FedRAMP is a variant of the FISMA process for cloud providers and is not a product certification. Just like FISMA, USGCB content is a great place to start for compliance questions. You may also be interested in talking with your Red Hat account manager about our Certified Cloud Provider Program. Red Hat components have been used in FedRAMP certified offerings, such as:
CSRA's ARC-P Cloud:
Offers FedRAMP High certified IaaS and PaaS, based off Red Hat OpenStack Platform and Red Hat OpenShift v3. Details and certification packages can be found on the GSA FedRAMP Marketplace.
BlackMesh's Secure Cloud:
Offers FedRAMP Moderate certified PaaS, based off Red Hat OpenShift v3. Details and certification packages can be found on their GSA FedRAMP Marketplace.
ICD 503:
Red Hat has collaborated with the National Security Agency to release RHEL configuration guidance against ICD 503 and CNSSI 1253. This collaboration occurs in the OpenSCAP/SCAP Security Guide project, with profiles shipping natively in RHEL via the "CS2" baseline
NISPOM CHAPTER 8
You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual.
