Compliance Activities and Government Standards

Updated -

COMMON CRITERIA

Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Learn more from the Common Criteria FAQ on the Red Hat Customer Portal.

PRODUCT RELEASE LEVEL PROTECTION PROFILE PLATFORM STATUS
JBoss Enterprise Application Platform 7.2 EAL4+ -- Security Target
Validation Report
Configuration Guide
Evaluated
Red Hat Certificate System 9.4 -- CAPP v2.1 Certificate
Security Target
Validation Report
Administrative Guide
Installation Guide

Assurance Continuity Maintenance Update
Assurance Continuity Maintenance Report
Evaluated
Red Hat Virtualization 4.3 EAL2+ -- Certification Report, Security Target

Configuration Guide, Administration Guide, Planning and Prerequisites Guide, Product Guide, Technical Reference
Evaluated
Red Hat Enterprise Linux 8.2 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Certificate
Security Target
Validation Report
Administrative Guide
Evaluated
Red Hat Enterprise Linux 8.1 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Certificate
Security Target
Validation Report
Administrative Guide
Evaluated
Red Hat Enterprise Linux 7.6 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Certificate
Security Target
Validation Report
Administrative Guide
Evaluated
Red Hat Enterprise Linux 7.x EAL4+ OSPP v2.0 Dell, Page 23-24
HP, Page 23-24
IBM, Page 23-24
Certificate Report, Security Target
Evaluated
Red Hat Enterprise Linux 7.x EAL4+ OSPP v3.9 Dell
HP
IBM

Certificate Report, Security Target
Evaluated


Common Criteria Certificates Archive - Historical or End Of Life releases list.

FIPS 140-2 and FIPS 140-3

Federal Information Processing Standard 140-2 and 140-3 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 and FIPS 140-3 certificates at the NIST CMVP website. The Red Hat certificates are below.

A note on applicability: The exact platform and environment tested is specified in the Security Policy for each certificate, though generally applicable to other Red Hat products where the binary versions of modules are running unmodified as well. FIPS 140 certificates issued to Red Hat are not generally applicable to non-Red Hat products. Please see the Security Policy, available at the links that follow, for specifics. Module binaries may be unchanged across Red Hat Enterprise Linux minor releases. In this case Red Hat reports the same applicable module version and certificate for such releases.

Red Hat Enterprise Linux 9.0

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD TBD Implementation Under Test N/A
Libgcrypt TBD TBD Implementation Under Test N/A
Kernel Cryptographic API TBD TBD Implementation Under Test N/A
GnuTLS TBD TBD Implementation Under Test N/A
NSS TBD TBD Implementation Under Test N/A


Red Hat Enterprise Linux 8.6

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD TBD --- N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-6.el8 Implementation Under Test N/A
Kernel Cryptographic API TBD TBD --- N/A
GnuTLS rhel8.20210628 gnutls-3.6.16-4.el8 Review Pending N/A
NSS TBD TBD --- N/A


Red Hat Enterprise Linux 8.5

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20210716 openssl-1.1.1k-4.el8 or later Review Pending N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-6.el8 Implementation Under Test N/A
Kernel Cryptographic API rhel8.20211004 kernel-4.18.0-348.el8 Review Pending N/A
GnuTLS rhel8.20210628 gnutls-3.6.16-4.el8 Coordination N/A
NSS rhel8.20210708 nss-3.67.0-6.el8_4 or later Implementation Under Test N/A


Red Hat Enterprise Linux 8.4

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20210325 openssl-1.1.1g-15.el8_3 Active #4271
Libgcrypt rhel8.20200615 libgcrypt-1.8.5-4.el8 Coordination N/A
Kernel Cryptographic API rhel8.20210614 kernel-4.18.0-305.7.1.el8_4 Coordination N/A
GnuTLS rhel8.20210401 gnutls-3.6.14-8.el8_3 Active #4272
NSS rhel8.20201215 nss-3.53.1-17.el8_3 Coordination N/A


Red Hat Enterprise Linux 8.3

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20210325 openssl-1.1.1g-15.el8_3 Active #4271
Libgcrypt rhel8.20200615 libgcrypt-1.8.5-4.el8 Coordination N/A
Kernel Cryptographic API rhel8.20210302 kernel-4.18.0-240.15.1.el8_3 Active #4254
GnuTLS rhel8.20210401 gnutls-3.6.14-8.el8_3 Active #4272
NSS rhel8.20201215 nss-3.53.1-17.el8_3 Coordination N/A


Red Hat Enterprise Linux 8.2

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20200305.1 openssl-1.1.1c-15.el8 Historical #3842
Libgcrypt rhel8.20190624 libgcrypt-1.8.3-4.el8 Active #3784
Kernel Cryptographic API rhel8.20200327 kernel-4.18.0-193.el8 Historical #3918
GnuTLS rhel8.20191106 gnutls-3.6.8-9.el8, gmp-6.1.2-10.el8, nettle-3.4.1-1.el8 Historical #3956
NSS rhel8.20200131 nss-softokn-3.44.0-15.el8 Active #3946


Red Hat Enterprise Linux 8.1

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20200305 openssl-1.1.1c-2.el8_1.1 Historical #3781
Libgcrypt rhel8.20190624 libgcrypt-1.8.3-4.el8 Active #3784
Kernel Cryptographic API rhel8.20190926 kernel-4.18.0-147.el8 Historical #3794
GnuTLS rhel8.20190816 gnutls-3.6.8-8.el8, gmp-6.1.2-10.el8, nettle-3.4.1-1.el8 Historical #3813
NSS rhel8.20190808 nss-softokn-3.44.0-8.el8 Historical #3839


Red Hat Enterprise Linux 7.9

Cryptographic Module Module Version Associated Packages Validation Status Certificate
Kernel Cryptographic API rhel7.20210526 kernel-3.10.0-1160.31.1.el7 Active #3939


Red Hat Enterprise Linux 7.8

Cryptographic Module Module Version Associated Packages Validation Status Certificate
Kernel Cryptographic API rhel7.20200812 kernel-3.10.0-1127.19.1.el7 Active #3939


Red Hat Enterprise Linux 7.7

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel7.20190409 openssl-1.0.2k-19.el7 Historical #3867
Kernel Cryptographic API rhel7.20200812 kernel-3.10.0-1127.19.1.el7 Active #3939
GnuTLS 7.0 gnutls-3.3.29-9.el7_6.x86_64.rpm Historical #3571
NSS rhel7.20190606 nss-softokn-3.44.0-5.el7 Active #3860
OpenSSH Server rhel7.20190626 openssh-7.4p1-21.el7 Historical #3891
OpenSSH Client rhel7.20190626 openssh-7.4p1-21.el7 Historical #3892
Libreswan rhel7.20190509 libreswan-3.25-4.8.el7_6 Historical #3563


Historical due to SP 800-56Arev3 transition - Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used but should not be included in new procurements.

FIPS 140-2 and 140-3 Certificates Archive - Historical or End Of Life releases list.

Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements. You can now apply STIG requirements with ease using the OpenSCAP tools and the scap-security-guide package for security policies. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST.

PRODUCT GUIDANCE STATUS
JBoss Enterprise Application Platform 5 NIST NVD checklist Draft
JBoss Enterprise Application Platform 6 DISA Released
Red Hat Enterprise Linux 6 DISA Released
Red Hat Enterprise Linux 7 DISA Released
Red Hat Enterprise Linux 8 DISA Released

Criminal Justice Information Services (CJIS)

The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

PRODUCT GUIDANCE STATUS
Red Hat Enterprise Linux 7 NIST NVD checklist Final

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency and program-specific guidance.

PRODUCT CONTENT STATUS
Red Hat Enterprise Linux 5 NIST Draft
Red Hat Enterprise Linux 6 scap-security-guide In development
Red Hat Enterprise Linux 7 DRAFT Public Draft with NIST

USGv6-r1 TESTED PRODUCT LIST

Listing of USGv6-r1 tested devices for Red Hat, Inc.

PRODUCT RELEASE APPLICABILITY TEST SUITES SDOC
Red Hat Enterprise Linux 8.4 Red Hat Enterprise Linux for Real Time 8.4, Red Hat Enterprise Linux CoreOS (8.4 based), Red Hat OpenStack Platform 16.2, Red Hat Virtualization 4.4.6, OpenShift Container Platform 4.8 Core Interoperability v1.2, Core Conformance v1.1, SLAAC Interoperability v1.2, SLAAC Conformance v1.0, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.0 SDoc

USGv6 TESTED PRODUCT LIST

Listing of USGv6 tested devices for Red Hat, Inc.

PRODUCT RELEASE TEST SUITES SDOC
Red Hat Enterprise Linux 8.2 Basic Interoperability v1.2, Basic Conformance v1.3, SLAAC Interoperability v1.3, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.3, ESP Interoperability v1.1 *Notes, ESP Conformance v1.1, IKEv2 Interoperability v2.0 *Notes, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2 *Notes, IPsecv3 Conformance v1.3 SDoc
Red Hat Enterprise Linux 7.1 Basic Interoperability v1.1, Basic Conformance v1.2, SLAAC Interoperability v1.2, SLAAC Conformance v1.1, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.2, DHCPv6 Server Interoperability v1.0, ESP Interoperability v1.1, ESP Conformance v1.1, DHCPv6 Client Interoperability v1.0, DHCPv6 Client Conformance v1.0, IKEv2 Interoperability v2.0, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2, IPsecv3 Conformance v1.3 SDoc

For previous releases or more information, please consult the USGv6 Tested Registry page.

SECTION 508

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.

PRODUCT VERSION VPAT
Ansible Core 2 Download
Ansible Tower 3 Download
Ansible Automation Platform 1.2 Download
Ansible Automation Platform 2 Download
Red Hat Enterprise Linux 4 Download
Red Hat Enterprise Linux 5 Download
Red Hat Enterprise Linux 6 Download
Red Hat Enterprise Linux 7 Download
Red Hat Enterprise Linux 8 Download
Red Hat Satellite 5 Download
Red Hat Satellite 6 Download
Red Hat OpenStack 10 Download
Red Hat OpenStack 11 Download
Red Hat OpenStack 12 Download
Red Hat OpenShift 3 Download
Red Hat OpenShift 4 Download
Red Hat OpenShift Container Storage 4 Download
Red Hat CloudForms 4.6 Download
Red Hat CloudForms 4.7 Download
Red Hat CloudForms 5.0 Download
Red Hat Gluster Storage 3 Download
Red Hat Ceph Storage 2 Download
Red Hat Ceph Storage 4 Download
Red Hat Ceph Storage 5 Download
JBoss Enterprise Application Platform 6 Download
JBoss Enterprise Application Platform 7.1 Download
JBoss Enterprise Application Platform 7.2 Download
JBoss Enterprise Application Platform 7.3 Download
Red Hat Fuse 7 Download
Red Hat AMQ 7 Download
Red Hat 3scale API Management 2.7 Download
Red Hat Decision Manager 7.7 Download
Red Hat Process Automation Manager 7.7 Download
Red Hat Advanced Cluster Management for Kubernetes 2.0 Download
Red Hat Advanced Cluster Management for Kubernetes 2.1 Download
Red Hat Advanced Cluster Management for Kubernetes 2.2 Download
Red Hat Advanced Cluster Management for Kubernetes 2.6 Download

US ARMY CERTIFICATE OF NETWORTHINESS

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

  • All applications (including COTS)
  • All Government Off-the-Shelf (GOTS) software
  • All web services
  • Collaboration tools and services
  • Tactical systems
  • New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).

FISMA

All federal agencies must comply with the Federal Information Security Management Act and Red Hat works to make that process as simple as possible. FISMA is not a product certification, rather an evaluation of the entire information system. Red Hat publishes configuration guidance for the NIST 800-53 controls that compromise FISMA Moderate. This is reflected in our USGCB baseline. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers and is not a product certification. Just like FISMA, USGCB content is a great place to start for compliance questions. You may also be interested in talking with your Red Hat account manager about our Certified Cloud Provider Program. Red Hat components have been used in FedRAMP certified offerings, such as:

CSRA's ARC-P Cloud:
Offers FedRAMP High certified IaaS and PaaS, based off Red Hat OpenStack Platform and Red Hat OpenShift v3. Details and certification packages can be found on the GSA FedRAMP Marketplace.

BlackMesh's Secure Cloud:
Offers FedRAMP Moderate certified PaaS, based off Red Hat OpenShift v3. Details and certification packages can be found on their GSA FedRAMP Marketplace.

ICD 503:
Red Hat has collaborated with the National Security Agency to release RHEL configuration guidance against ICD 503 and CNSSI 1253. This collaboration occurs in the OpenSCAP/SCAP Security Guide project, with profiles shipping natively in RHEL via the "CS2" baseline

NISPOM CHAPTER 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual.

HIPAA Overview

HIPAA refers to the US Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HIPAA is a United States federal law designed to protect the privacy and security of protected health information (PHI). Covered entities and business associates may ask Red Hat to act as a business associate (as defined by HIPAA) and Red Hat is prepared to act as a business associate with respect to the Red Hat HIPAA-Qualified Online Services offerings listed below. The customer is responsible for its own overall compliance with HIPAA, and it is the customer’s responsibility to understand, assess and comply with its applicable requirements. Please contact your Red Hat sales account representative to enter into a Red Hat Business Associate Agreement, if applicable.

HIPAA Implementation Guide

HIPAA Qualified Online Services
Red Hat OpenShift Dedicated, v. 4 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Service on AWS (ROSA) v. 4
Red Hat OpenShift Application Programming Interface (API) Manager (RHOAM), v. 1.0 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Data Foundation (RHODF), v. 4 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Data Science (RHODS), v. 1 (Only Customer Cloud Subscriptions*)

*These Red Hat HIPAA-Qualified Online Services are limited to “Customer Cloud Subscriptions” which means they are Red Hat Online Services where the customer separately purchases or procures the underlying hosting infrastructure services from a cloud provider.

17 Comments

When will RHEL 8 appear in these?

Especially in STIG?

thanks

RHEL 8 begins common criteria and FIPS testing with RHEL 8.1.

For RHEL 8 baselines, the NIST National Checklist for RHEL 8 was released as part of GA. Available natively in RHEL via the scap-security-guide or from NIST at https://nvd.nist.gov/ncp/checklist/909.

All the US Government baselines for Red Hat can be found on the NIST website as well: https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

Thanks Shawn

Request (when possible) that RHEL 8 info be included with the other versions of Linux within this article.

Regards

RJ

RHCOS is also common criteria compliant can the changes be made for it, thanks

RHCOS currently has no plans for Common Criteria certification and does not inherit Common Criteria from RHEL. Interested parties who would like to see RHCOS receive Common Criteria are encouraged to open an RFE through their Red Hat field teams.

Ah my apologies I thought it was compliant after reading OpenShift marketing material, @Shawn Wells thank you for replying with the answer!

Is there a roadmap to release STIG rules for RHCOS ?

As we have RHEL 7.1 as part of EAL 4+ certification which has gone EOL. We are asked by our defense customer to let us know if we are also doing for other minor versions of RHEL 7 which are currently in the support period?

As I understand that we only do it for one minor version of RHEL say 7.1 this follows through out the subsequent releases of RHEL 7.x. Do we have this in writing for our customer?

(October 27th, 2020) Request update regarding RHEL 8 LInux for this article #2918071 . The last update for RHEL 8 Linux is for version 8.1 and 8.2 is out with 8.3 in beta. Oh, I'm told that the link to the Army's website seems to be broken (even with a proper AKO account)

Kind Regards, RJ Hinton

As this page is generally updated when certifications complete, it's somewhat difficult to follow anything that is 'in-process.' For example, on the NIST site, you can see RHEL 7.7, 8.1 and 8.2 are all currently being evaluated for FIPS at this time (i.e. it's in NIST's shop to finish the evaluation). For Common Criteria, the NIAP web site is a bit harder to determine the current state, but RHEL 8.1 is in evaluation by NIAP now with RHEL 8.2 being submitted soon.

Is there any estimation when RHEL 8.2 FIPS 140-2 certification will be validated? I checked on NIST site - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module is still in "Pending" state.

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List

Unfortunately, Red Hat can't provide an estimate as the evaluation is pending NIST processing. It's worth noting that NIST has slowed processing of FIPS validation requests for all vendors as they worked on the new FIPS 140-3 standard. We hope that they will be able return to processing soon.

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List Fips list 12/2020 * RHEL7 OpenSSH Client Cryptographic Module FIPS 140-2 In Review * RHEL7 OpenSSH Server Cryptographic Module FIPS 140-2 In Review * RHEL7 OpenSSL Cryptographic Module FIPS 140-2 In Review * RHEL8 GnuTLS Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 GnuTLS Cryptographic Module FIPS 140-2 In Review * RHEL8 Kernel Crypto API Cryptographic Module FIPS 140-2 Review Pending * RHEL8 Kernel Crypto API Cryptographic Module FIPS 140-2 Coordination * RHEL8 libgcrypt Cryptographic Module FIPS 140-2 Coordination
* RHEL8 NSS Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 NSS Cryptographic Module FIPS 140-2 In Review * RHEL8 OpenSSL Cryptographic Module FIPS 140-2 Review Pending
* RHEL8 OpenSSL Cryptographic Module FIPS 140-2 Coordination

Just an update : as you can tell from the list above, progress is being made on both FIPS and Common Criteria certifications for RHEL 8. Two modules have completed for RHEL 8.1 with three more on the way. We hope to be able to announce completion of both FIPS and CC for RHEL 8.1 very soon and will update this page when that announcement is made.

Is their a new RMF certificate for Redhat 7.x, specifically 7.9? Where can I download this certificate, since the CoNs are no longer used. Thanks.

For those following this page, the RHEL 8.3 and 8.4 FIPS validations for OpenSSL and GNUTLS. Both minor releases of RHEL use the same cryptographic modules, so only one validation needed! Keep following this page for updates on the other modules:

OpenSSL : https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4271 
GnuTLS : https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4272

My customer is asking me if OpenJDK has a VPAT? I don't see one for it. Id OpenJDK something that would need a VPAT?