Compliance Activities and Government Standards
Table of Contents
COMMON CRITERIA
Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Learn more from the Common Criteria FAQ on the Red Hat Customer Portal.
| PRODUCT | RELEASE | LEVEL | PROTECTION PROFILE | DOCUMENTATION & PLATFORMS | STATUS |
|---|---|---|---|---|---|
| JBoss Enterprise Application Platform | 7.2 | EAL4+ | -- | Security Target Validation Report Configuration Guide |
Evaluated |
| Red Hat Certificate System | 9.4 | -- | CAPP v2.1 | Archived | |
| Red Hat Virtualization | 4.3 | EAL2+ | -- | Certification Report, Security Target Configuration Guide, Administration Guide, Planning and Prerequisites Guide, Product Guide, Technical Reference |
Evaluated |
| Red Hat Enterprise Linux | 9.0 | PP Compliant | PP_OS_V4.3 + PKG_SSH_V1.0 + PKG_TLS_V1.1 | Intel x86_64 (UEFI), IBM z16 (LPAR), IBM Power 10 (LPAR) | In Evaluation |
| Red Hat Enterprise Linux | 8.6 | PP Compliant | PP_OS_V4.2.1 + PKG_SSH_V1.0 | Dell/Intel, IBM z15 (LPAR) | In Evaluation |
| Red Hat Enterprise Linux | 8.2 | PP Compliant | OSPP v4.2.1 + SSH EP v1.0 | Certificate Security Target Validation Report Administrative Guide |
Evaluated |
| Red Hat Enterprise Linux | 8.1 | PP Compliant | OSPP v4.2.1 + SSH EP v1.0 | Archived | |
| Red Hat Enterprise Linux | 7.6 | PP Compliant | OSPP v4.2.1 + SSH EP v1.0 | Archived | |
| Red Hat Enterprise Linux | 7.x | EAL4+ | OSPP v2.0 | Dell, Page 23-24 HP, Page 23-24 IBM, Page 23-24 Certificate Report, Security Target |
Archived |
| Red Hat Enterprise Linux | 7.x | EAL4+ | OSPP v3.9 | Dell HP IBM Certificate Report, Security Target |
Archived |
Common Criteria Certificates Archive - Historical or End Of Life releases list.
FIPS 140-2 and FIPS 140-3
Federal Information Processing Standard 140-2 and 140-3 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 and FIPS 140-3 certificates at the NIST CMVP website. The Red Hat certificates are below.
A note on applicability: The exact platform and environment tested is specified in the Security Policy for each certificate, though generally applicable to other Red Hat products where the binary versions of modules are running unmodified as well. FIPS 140 certificates issued to Red Hat are not generally applicable to non-Red Hat products. Please see the Security Policy, available at the links that follow, for specifics. Module binaries may be unchanged across Red Hat Enterprise Linux minor releases. In this case Red Hat reports the same applicable module version and certificate for such releases.
Red Hat Enterprise Linux 9.2
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | TBD | openssl-3.0.7-17.el9_2 | Implementation Under Test | N/A |
| Libgcrypt | TBD | libgcrypt-1.10.0-10.el9_2 | Implementation Under Test | N/A |
| Kernel Cryptographic API | TBD | kernel-5.14.0-284.32.1.el9_2 | Implementation Under Test | N/A |
| GnuTLS | TBD | gnutls-3.7.6-21.el9_2 | Implementation Under Test | N/A |
| NSS | TBD | nss-3.90.0-3.el9_2 | Implementation Under Test | N/A |
Red Hat Enterprise Linux 9.0
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | 3.0.1-3f45e68ee408cd9c | openssl-3.0.1-46.el9_0.3 | Review Pending | N/A |
| Libgcrypt | 1.10.0-8b6840b590cedd43 | libgcrypt-1.10.0-10.el9_0 | Review Pending | N/A |
| Kernel Cryptographic API | kernel 5.14.0-70.53.1.el9_0, libkcapi 1.3.1-3.el9 | kernel-5.14.0-70.53.1.el9_0, libkcapi-1.3.1-3.el9, libkcapi-hmaccalc-1.3.1-3.el9 | Review Pending | N/A |
| GnuTLS | 3.7.6-24783cce143f0d36 | gnutls-3.7.6-18.el9_0 | Review Pending | N/A |
| NSS | 4.34.0-a20cd33fbbe14357 | nss-softokn-3.79.0-18.el9_0, nss-softokn-freebl-3.79.0-18.el9_0 | Review Pending | N/A |
Tested on Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z16, and IBM Power10
Red Hat Enterprise Linux 8.8
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | TBD | openssl-1.1.1k-9.el8_7 | --- | N/A |
| Libgcrypt | rhel8.20210628 | libgcrypt-1.8.5-7.el8_6 | Active | #4438 |
| Kernel Cryptographic API | TBD | TBD | --- | N/A |
Red Hat Enterprise Linux 8.7
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | TBD | openssl-1.1.1k-9.el8_7 | --- | N/A |
| Libgcrypt | rhel8.20210628 | libgcrypt-1.8.5-7.el8_6 | Active | #4438 |
| GnuTLS | rhel8.20220830 | gnutls-3.6.16-5.el8_6 | Active | #4428 |
Tested on Red Hat Enterprise Linux 8 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z15, IBM POWER9 and IBM Power10
Red Hat Enterprise Linux 8.6
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | rhel8.20220323 | openssl-1.1.1k-6.el8_5 | Active | #4642 |
| Libgcrypt | rhel8.20210628 | libgcrypt-1.8.5-7.el8_6 | Active | #4438 |
| Kernel Cryptographic API | kernel 4.18.0-372.52.1.el8_6, libkcapi 1.2.0-2.el8 | kernel-4.18.0-372.52.1.el8_6, libkcapi-1.2.0-2.el8, libkcapi-hmaccalc-1.2.0-2.el8 | Review Pending | N/A |
| GnuTLS | rhel8.20220830 | gnutls-3.6.16-5.el8_6 | Active | #4428 |
| NSS | rhel8.20211124 | nss-3.67.0-7.el8_5 | Active | #4458 |
Tested on Red Hat Enterprise Linux 8 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z15, IBM POWER9 and IBM Power10
Red Hat Enterprise Linux 8.5
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | rhel8.20220323 | openssl-1.1.1k-6.el8_5 | Active | #4642 |
| Libgcrypt | rhel8.20210628 | libgcrypt-1.8.5-6.el8 | Updated | N/A |
| Kernel Cryptographic API | rhel8.20211004 | kernel-4.18.0-348.el8 | Active | #4434 |
| NSS | rhel8.20210708 | 3.67.0-6.el8_4 | Updated | N/A |
| GnuTLS | rhel8.20210628 | gnutls-3.6.16-4.el8 | Updated | N/A |
Red Hat Enterprise Linux 8.4
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | rhel8.20210325 | openssl-1.1.1g-15.el8_3 | Active | #4271 |
| Libgcrypt | rhel8.20200615 | libgcrypt-1.8.5-4.el8 | Active | #4397 |
| Kernel Cryptographic API | rhel8.20210614 | kernel-4.18.0-305.7.1.el8_4 | Active | #4384 |
| GnuTLS | rhel8.20210401 | gnutls-3.6.14-8.el8_3 | Active | #4272 |
| NSS | rhel8.20201215 | nss-3.53.1-17.el8_3 | Active | #4413 |
Red Hat Enterprise Linux 7.9
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| Kernel Cryptographic API | rhel7.20210526 | kernel-3.10.0-1160.31.1.el7 | Active | #3939 |
Red Hat Enterprise Linux 7.8
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| Kernel Cryptographic API | rhel7.20200812 | kernel-3.10.0-1127.19.1.el7 | Active | #3939 |
Red Hat Enterprise Linux 7.7
| Cryptographic Module | Module Version | Associated Packages | Validation Status | Certificate |
|---|---|---|---|---|
| OpenSSL | rhel7.20190409 | openssl-1.0.2k-19.el7 | Historical | #3867 |
| Kernel Cryptographic API | rhel7.20200812 | kernel-3.10.0-1127.19.1.el7 | Active | #3939 |
| GnuTLS | 7.0 | gnutls-3.3.29-9.el7_6.x86_64.rpm | Historical | #3571 |
| NSS | rhel7.20190606 | nss-softokn-3.44.0-5.el7 | Active | #4498 |
| OpenSSH Server | rhel7.20190626 | openssh-7.4p1-21.el7 | Historical | #3891 |
| OpenSSH Client | rhel7.20190626 | openssh-7.4p1-21.el7 | Historical | #3892 |
| Libreswan | rhel7.20190509 | libreswan-3.25-4.8.el7_6 | Historical | #3563 |
Historical due to SP 800-56Arev3 transition - Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used but should not be included in new procurements.
FIPS 140-2 and 140-3 Certificates Archive - Historical or End Of Life releases list.
Secure Technical Implementation Guidelines (STIG)
Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements. You can now apply STIG requirements with ease using the OpenSCAP tools and the scap-security-guide package for security policies. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST.
| PRODUCT | GUIDANCE | STATUS |
|---|---|---|
| JBoss Enterprise Application Platform 5 | NIST NVD checklist | Draft |
| JBoss Enterprise Application Platform 6 | DISA | Released |
| Red Hat Enterprise Linux 6 | DISA | Released |
| Red Hat Enterprise Linux 7 | DISA | Released |
| Red Hat Enterprise Linux 8 | DISA | Released |
| Red Hat Enterprise Linux 9 | DISA | Released |
| Red Hat Openshift Container Platform 4 | DISA | Released |
Criminal Justice Information Services (CJIS)
The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
| PRODUCT | GUIDANCE | STATUS |
|---|---|---|
| Red Hat Enterprise Linux 7 | NIST NVD checklist | Final |
US Government Configuration Baseline (USGCB)
The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency and program-specific guidance.
| PRODUCT | CONTENT | STATUS |
|---|---|---|
| Red Hat Enterprise Linux 5 | NIST | Draft |
| Red Hat Enterprise Linux 6 | scap-security-guide | In development |
| Red Hat Enterprise Linux 7 | DRAFT | Public Draft with NIST |
USGv6-r1 TESTED PRODUCT LIST
Listing of USGv6-r1 tested devices for Red Hat, Inc.
| PRODUCT | RELEASE | APPLICABILITY | TEST SUITES | SDOC |
|---|---|---|---|---|
| Red Hat Enterprise Linux | 9.0 | Red Hat Enterprise Linux for Real Time 9.0 | Core Interoperability v1.3, Core Conformance v1.3, SLAAC Interoperability v1.3, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.2, IPsec Interoperability v1.0, IPsec Conformance v1.0 * Notes, IPsec-SHA-512 Interoperability v1.0, IPsec-SHA-512 Conformance v1.0 | SDoc |
| Red Hat Enterprise Linux | 8.6 | Red Hat Enterprise Linux for Real Time 8.6, Red Hat Enterprise Linux CoreOS (8.6 based), Red Hat OpenStack Platform 16.2, Red Hat Virtualization 4.4 SP1, OpenShift Container Platform 4.11 | Core Interoperability v1.4, Core Conformance v1.4, SLAAC Interoperability v1.4, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.2 | SDoc |
| Red Hat Enterprise Linux | 8.4 | Red Hat Enterprise Linux for Real Time 8.4, Red Hat Enterprise Linux CoreOS (8.4 based), Red Hat OpenStack Platform 16.2, Red Hat Virtualization 4.4.6, OpenShift Container Platform 4.8 | Core Interoperability v1.2, Core Conformance v1.1, SLAAC Interoperability v1.2, SLAAC Conformance v1.0, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.0 | SDoc |
USGv6 TESTED PRODUCT LIST
Listing of USGv6 tested devices for Red Hat, Inc. Please see SDoc for * Notes.
| PRODUCT | RELEASE | TEST SUITES | SDOC |
|---|---|---|---|
| Red Hat Enterprise Linux | 8.2 | Basic Interoperability v1.2, Basic Conformance v1.3, SLAAC Interoperability v1.3, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.3, ESP Interoperability v1.1 *Notes, ESP Conformance v1.1, IKEv2 Interoperability v2.0 *Notes, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2 *Notes, IPsecv3 Conformance v1.3 | SDoc |
| Red Hat Enterprise Linux | 7.1 | Basic Interoperability v1.1, Basic Conformance v1.2, SLAAC Interoperability v1.2, SLAAC Conformance v1.1, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.2, DHCPv6 Server Interoperability v1.0, ESP Interoperability v1.1, ESP Conformance v1.1, DHCPv6 Client Interoperability v1.0, DHCPv6 Client Conformance v1.0, IKEv2 Interoperability v2.0, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2, IPsecv3 Conformance v1.3 | SDoc |
For previous releases or more information, please consult the USGv6 Tested Registry page. Please see SDoc for * Notes.
SECTION 508
Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Accessibility Conformance Reports below.
| PRODUCT | VERSION | ACR |
|---|---|---|
| Ansible Core | 2 | Download |
| Ansible Tower | 3 | Download |
| Ansible Automation Platform | 1.2 | Download |
| Ansible Automation Platform | 2 | Download |
| Red Hat Enterprise Linux | 4 | Download |
| Red Hat Enterprise Linux | 5 | Download |
| Red Hat Enterprise Linux | 6 | Download |
| Red Hat Enterprise Linux | 7 | Download |
| Red Hat Enterprise Linux | 8 | Download |
| Red Hat Enterprise Linux | 9.1 | Download |
| Red Hat Satellite | 5 | Download |
| Red Hat Satellite | 6 | Download |
| Red Hat OpenStack | 10 | Download |
| Red Hat OpenStack | 11 | Download |
| Red Hat OpenStack | 12 | Download |
| Red Hat OpenShift | 3 | Download |
| Red Hat OpenShift | 4 | Download |
| Red Hat OpenShift Container Storage | 4 | Download |
| Red Hat CloudForms | 4.6 | Download |
| Red Hat CloudForms | 4.7 | Download |
| Red Hat CloudForms | 5.0 | Download |
| Red Hat Gluster Storage | 3 | Download |
| Red Hat Ceph Storage | 2 | Download |
| Red Hat Ceph Storage | 4 | Download |
| Red Hat Ceph Storage | 5 | Download |
| JBoss Enterprise Application Platform | 6 | Download |
| JBoss Enterprise Application Platform | 7.1 | Download |
| JBoss Enterprise Application Platform | 7.2 | Download |
| JBoss Enterprise Application Platform | 7.3 | Download |
| JBoss Enterprise Application Platform | 7.4 | Download |
| Red Hat Fuse | 7 | Download |
| Red Hat AMQ | 7 | Download |
| Red Hat 3scale API Management | 2.7 | Download |
| Red Hat Decision Manager | 7.7 | Download |
| Red Hat Process Automation Manager | 7.7 | Download |
| Red Hat Advanced Cluster Management for Kubernetes | 2.0 | Download |
| Red Hat Advanced Cluster Management for Kubernetes | 2.1 | Download |
| Red Hat Advanced Cluster Management for Kubernetes | 2.2 | Download |
| Red Hat Advanced Cluster Management for Kubernetes | 2.6 | Download |
US ARMY CERTIFICATE OF NETWORTHINESS
Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).
The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.
NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.
Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:
- All applications (including COTS)
- All Government Off-the-Shelf (GOTS) software
- All web services
- Collaboration tools and services
- Tactical systems
- New, legacy, and fielded systems
A list of software with approved CONs is identified on the Army's Networthiness Program. website.
FISMA
All federal agencies must comply with the Federal Information Security Management Act and Red Hat works to make that process as simple as possible. FISMA is not a product certification, rather an evaluation of the entire information system. Red Hat publishes configuration guidance for the NIST 800-53 controls that compromise FISMA Moderate. This is reflected in our USGCB baseline. Reviewing the USGCB content is a great place to start.
FedRAMP
FedRAMP is a variant of the FISMA process for cloud providers and is not a product certification. Just like FISMA, USGCB content is a great place to start for compliance questions. You may also be interested in talking with your Red Hat account manager about our Certified Cloud Provider Program. Red Hat components have been used in FedRAMP certified offerings, such as:
CSRA's ARC-P Cloud:
Offers FedRAMP High certified IaaS and PaaS, based off Red Hat OpenStack Platform and Red Hat OpenShift v3. Details and certification packages can be found on the GSA FedRAMP Marketplace.
BlackMesh's Secure Cloud:
Offers FedRAMP Moderate certified PaaS, based off Red Hat OpenShift v3. Details and certification packages can be found on their GSA FedRAMP Marketplace.
ICD 503:
Red Hat has collaborated with the National Security Agency to release RHEL configuration guidance against ICD 503 and CNSSI 1253. This collaboration occurs in the OpenSCAP/SCAP Security Guide project, with profiles shipping natively in RHEL via the "CS2" baseline
NISPOM CHAPTER 8
You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual.
HIPAA Overview
HIPAA refers to the US Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HIPAA is a United States federal law designed to protect the privacy and security of protected health information (PHI). Covered entities and business associates may ask Red Hat to act as a business associate (as defined by HIPAA) and Red Hat is prepared to act as a business associate with respect to the Red Hat HIPAA-Qualified Online Services offerings listed below. The customer is responsible for its own overall compliance with HIPAA, and it is the customer’s responsibility to understand, assess and comply with its applicable requirements. Please contact your Red Hat sales account representative to enter into a Red Hat Business Associate Agreement, if applicable.
| HIPAA Qualified Online Services |
|---|
| Red Hat OpenShift Dedicated, v. 4 (Only Customer Cloud Subscriptions*) |
| Red Hat OpenShift Service on AWS (ROSA) v. 4 |
| Red Hat OpenShift Application Programming Interface (API) Manager (RHOAM), v. 1.0 (Only Customer Cloud Subscriptions*) |
| Red Hat OpenShift Data Foundation (RHODF), v. 4 (Only Customer Cloud Subscriptions*) |
| Red Hat OpenShift Data Science (RHODS), v. 1 (Only Customer Cloud Subscriptions*) |
*These Red Hat HIPAA-Qualified Online Services are limited to “Customer Cloud Subscriptions” which means they are Red Hat Online Services where the customer separately purchases or procures the underlying hosting infrastructure services from a cloud provider.
Red Hat Security Declaration - DCMS Telecommunications Code of Practice
This document provides Red Hat security declaration in response to the DCMS Code of Practice Vendor Security Assessment request and an overview of Red Hat’s alignment with the published UK Telecommunications Security Act Code of Practice. This document details how Red Hat implements engineering and security best practices to ensure that we support and conform to the exacting demands for quality, transparency, and partnership of both the Government and the Telecommunications Sector within the UK.
Red Hat Security Declaration - DCMS Telecommunications Code of Practice
Trade Agreements Act (TAA)
The Trade Agreements Act (TAA) of 1979 was enacted to foster fair and open international trade. Under TAA, the products and/or services offered on your GSA Schedule contract are required to be only U.S. made or TAA designated country end products.
Red Hat Enterprise Linux Trade Agreements Act Compliance
Red Hat Product Compliance Offerings Checker
Use Red Hat Product Compliance Offerings Checker to find more information about compliance activities and government standards for Red Hat's products not listed on this page.
24 Comments
When will RHEL 8 appear in these?
Especially in STIG?
thanks
RHEL 8 begins common criteria and FIPS testing with RHEL 8.1.
For RHEL 8 baselines, the NIST National Checklist for RHEL 8 was released as part of GA. Available natively in RHEL via the scap-security-guide or from NIST at https://nvd.nist.gov/ncp/checklist/909.
All the US Government baselines for Red Hat can be found on the NIST website as well: https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0
Thanks Shawn
Request (when possible) that RHEL 8 info be included with the other versions of Linux within this article.
Regards
RJ
RHCOS is also common criteria compliant can the changes be made for it, thanks
RHCOS currently has no plans for Common Criteria certification and does not inherit Common Criteria from RHEL. Interested parties who would like to see RHCOS receive Common Criteria are encouraged to open an RFE through their Red Hat field teams.
Ah my apologies I thought it was compliant after reading OpenShift marketing material, @Shawn Wells thank you for replying with the answer!
Is there a roadmap to release STIG rules for RHCOS ?
As we have RHEL 7.1 as part of EAL 4+ certification which has gone EOL. We are asked by our defense customer to let us know if we are also doing for other minor versions of RHEL 7 which are currently in the support period?
As I understand that we only do it for one minor version of RHEL say 7.1 this follows through out the subsequent releases of RHEL 7.x. Do we have this in writing for our customer?
(October 27th, 2020) Request update regarding RHEL 8 LInux for this article #2918071 . The last update for RHEL 8 Linux is for version 8.1 and 8.2 is out with 8.3 in beta. Oh, I'm told that the link to the Army's website seems to be broken (even with a proper AKO account)
Kind Regards, RJ Hinton
As this page is generally updated when certifications complete, it's somewhat difficult to follow anything that is 'in-process.' For example, on the NIST site, you can see RHEL 7.7, 8.1 and 8.2 are all currently being evaluated for FIPS at this time (i.e. it's in NIST's shop to finish the evaluation). For Common Criteria, the NIAP web site is a bit harder to determine the current state, but RHEL 8.1 is in evaluation by NIAP now with RHEL 8.2 being submitted soon.
Is there any estimation when RHEL 8.2 FIPS 140-2 certification will be validated? I checked on NIST site - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module is still in "Pending" state.
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List
Unfortunately, Red Hat can't provide an estimate as the evaluation is pending NIST processing. It's worth noting that NIST has slowed processing of FIPS validation requests for all vendors as they worked on the new FIPS 140-3 standard. We hope that they will be able return to processing soon.
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List Fips list 12/2020 * RHEL7 OpenSSH Client Cryptographic Module FIPS 140-2 In Review * RHEL7 OpenSSH Server Cryptographic Module FIPS 140-2 In Review * RHEL7 OpenSSL Cryptographic Module FIPS 140-2 In Review * RHEL8 GnuTLS Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 GnuTLS Cryptographic Module FIPS 140-2 In Review * RHEL8 Kernel Crypto API Cryptographic Module FIPS 140-2 Review Pending * RHEL8 Kernel Crypto API Cryptographic Module FIPS 140-2 Coordination * RHEL8 libgcrypt Cryptographic Module FIPS 140-2 Coordination
* RHEL8 NSS Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 NSS Cryptographic Module FIPS 140-2 In Review * RHEL8 OpenSSL Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 OpenSSL Cryptographic Module FIPS 140-2 Coordination
Just an update : as you can tell from the list above, progress is being made on both FIPS and Common Criteria certifications for RHEL 8. Two modules have completed for RHEL 8.1 with three more on the way. We hope to be able to announce completion of both FIPS and CC for RHEL 8.1 very soon and will update this page when that announcement is made.
Is their a new RMF certificate for Redhat 7.x, specifically 7.9? Where can I download this certificate, since the CoNs are no longer used. Thanks.
For those following this page, the RHEL 8.3 and 8.4 FIPS validations for OpenSSL and GNUTLS. Both minor releases of RHEL use the same cryptographic modules, so only one validation needed! Keep following this page for updates on the other modules:
My customer is asking me if OpenJDK has a VPAT? I don't see one for it. Id OpenJDK something that would need a VPAT?
The web page was updated yesterday and there is a typo in the referal link for gnutls 3.6.16 ... the link says cert 4271 and it should be 4428.
For the FedRAMP section, I wanted to add that IBM Consulting has an excellent fully managed "white glove" OpenShift offering that provides roughly 80% of what customers need for FedRAMP and IL5 and ATO attainment. The offering is called IPS4GRO (IBM Platform Service for Government with Red Hat OpenShift), and provides the capability to have a customizable and fully managed Red Hat OpenShift onto just about any on-prem environment (such as VMware) or into any public cloud such as Azure, AWS, IBM Cloud, Google and more.
Thank you Mike for this post.
Are there any plans for CC certification of RHEL 8.4? I would like to know when you are planning CC certification for RHEL 8.4.
Red Hat had to make a decision to skip RHEL 8.4 Common Criteria and instead target on RHEL 8.6. RHEL 8.6 Common Criteria certification is now listed as "In Evaluation".
This page desperately and urgently needs a change log to help identify updates when they are made. This page should also have the ability to subscribe for updates.
Unfortunately the changelog is internal only and there's no support for public changelog. However, you should be able to subscribe to updates via the bell icon "Follow this content".