FIPS 140 Lifecycle Support Statement

Updated -

Compliance with FedRAMP’s FIPS 140 requirements

FIPS 140 review

Red Hat is dedicated to information assurance and complying with standards for our products and services. FIPS 140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. FIPS publications (including 140-3) can be found at the following link.

FIPS 140-2

  • Red Hat Enterprise Linux 8.6 with OpenShift Container Platform (4.11 and 4.12) uses FIPS 140-2 validated OpenSSL Cryptographic Module. See article on Enabling FIPS Mode. Red Hat Enterprise Linux 8.6 with OpenShift Container Platform 4.12 will continue to be supported until 2026.
  • By mid 2025, Red Hat intends to provide a migration path and another release of Red Hat Enterprise Linux that is FIPS 140-3 validated.

Transition to FIPS 140-3

  • Red Hat intends to submit Red Hat Enterprise Linux 9.2 OpenSSL Cryptographic Module with OpenShift Container Platform (4.14) for FIPS 140-3 validation by the end of 2023. We expect the OpenSSL module for Red Hat Enterprise Linux 9.2 to achieve FIPS 140-3 validation no later than Q4 2025, enabling customer migration from one FIPS validated software version to the next (OpenShift Container Platform 4.12 to OpenShift Container Platform 4.14). Red Hat commits to enabling customers to operate for three years on OpenShift Container Platform 4.14, and then enabling a 1 year migration period to the next FIPS validated version of OpenShift Container Platform. This will extend the lifecycle for OpenShift Container Platform 4.14 through 2029 for Red Hat’s customers that require FIPS 140 compliance.
  • Red Hat provides transparency on all of its FIPS activities on our Compliance Activities and Government Standards page.

Comments