Compliance Activities and Government Standards

Updated -

COMMON CRITERIA

Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Learn more from the Common Criteria FAQ on the Red Hat Customer Portal.

PRODUCT RELEASE LEVEL PROTECTION PROFILE DOCUMENTATION & PLATFORMS STATUS
JBoss Enterprise Application Platform 7.2 EAL4+ -- Security Target
Validation Report
Configuration Guide
Evaluated
Red Hat Certificate System 9.4 -- CAPP v2.1 Archived
Red Hat Virtualization 4.3 EAL2+ -- Certification Report, Security Target

Configuration Guide, Administration Guide, Planning and Prerequisites Guide, Product Guide, Technical Reference
Evaluated
Red Hat Enterprise Linux 9.0 PP Compliant PP_OS_V4.3 + PKG_SSH_V1.0 + PKG_TLS_V1.1 Intel x86_64 (UEFI), IBM z16 (LPAR), IBM Power 10 (LPAR)

Certificate
Security Target
Validation Report
Administrative Guide
Evaluated
Red Hat Enterprise Linux 8.6 PP Compliant PP_OS_V4.2.1 + PKG_SSH_V1.0 Dell/Intel, IBM z15 (LPAR)

Certificate
Security Target
Validation Report
Administrative Guide
Evaluated
Red Hat Enterprise Linux 8.2 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Archived
Red Hat Enterprise Linux 8.1 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Archived
Red Hat Enterprise Linux 7.6 PP Compliant OSPP v4.2.1 + SSH EP v1.0 Archived
Red Hat Enterprise Linux 7.x EAL4+ OSPP v2.0 Dell, Page 23-24
HP, Page 23-24
IBM, Page 23-24
Certificate Report, Security Target
Archived
Red Hat Enterprise Linux 7.x EAL4+ OSPP v3.9 Dell
HP
IBM

Certificate Report, Security Target
Archived


Common Criteria Certificates Archive - Historical or End Of Life releases list.

FIPS 140-2 and FIPS 140-3

Federal Information Processing Standard 140-2 and 140-3 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 and FIPS 140-3 certificates at the NIST CMVP website. The Red Hat certificates are below.

A note on applicability: The exact platform and environment tested is specified in the Security Policy for each certificate, though generally applicable to other Red Hat products where the binary versions of modules are running unmodified as well. FIPS 140 certificates issued to Red Hat are not generally applicable to non-Red Hat products. Please see the Security Policy, available at the links that follow, for specifics. Module binaries may be unchanged across Red Hat Enterprise Linux minor releases. In this case Red Hat reports the same applicable module version and certificate for such releases.

Red Hat Enterprise Linux 9.4

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD TBD -- N/A
Libgcrypt 1.10.0-8b6840b590cedd43 libgcrypt-1.10.0-10.el9_2 Review Pending as part of Red Hat Enterprise Linux 9.0 submission N/A
Kernel Cryptographic API TBD TBD -- N/A
GnuTLS TBD gnutls-3.8.3-1.el9 -- N/A
NSS TBD TBD -- N/A

Red Hat Enterprise Linux 9.2

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL 3.0.7-395c1a240fbfffd8 openssl-3.0.7-18.el9_2 Review Pending N/A
Libgcrypt 1.10.0-8b6840b590cedd43 libgcrypt-1.10.0-10.el9_2 Review Pending as part of Red Hat Enterprise Linux 9.0 submission N/A
Kernel Cryptographic API kernel 5.14.0-284.57.1.el9_2, libkcapi 1.3.1-3.el9 kernel-5.14.0-284.57.1.el9_2, libkcapi-1.3.1-3.el9, libkcapi-hmaccalc-1.3.1-3.el9 Review Pending N/A
GnuTLS 3.7.6-074d015ce201f43 gnutls-3.7.6-21.el9_2.1, nettle-3.8-3.el9_0.x86_64 Review Pending N/A
NSS 3.90.0-4408e3bb8a34af3a nss-3.90.0-6.el9_2 Review Pending N/A

Red Hat Enterprise Linux 9.0

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL 3.0.1-3f45e68ee408cd9c openssl-3.0.1-46.el9_0.3 Review Pending (Resubmitted for Interim Validation) N/A
Libgcrypt 1.10.0-8b6840b590cedd43 libgcrypt-1.10.0-10.el9_0 Review Pending N/A
Kernel Cryptographic API kernel 5.14.0-70.53.1.el9_0, libkcapi 1.3.1-3.el9 kernel-5.14.0-70.53.1.el9_0, libkcapi-1.3.1-3.el9, libkcapi-hmaccalc-1.3.1-3.el9 Review Pending N/A
GnuTLS 3.7.6-24783cce143f0d36 gnutls-3.7.6-18.el9_0 Review Pending N/A
NSS 4.34.0-a20cd33fbbe14357 nss-softokn-3.79.0-18.el9_0, nss-softokn-freebl-3.79.0-18.el9_0 Review Pending N/A

Tested on Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z16, and IBM Power10

Red Hat Enterprise Linux 8.10

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD openssl-1.1.1k-12.el8_9 Scenario 3A revalidation testing N/A
Kernel Cryptographic API TBD TBD --- N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-7.el8_6 Active #4438

Red Hat Enterprise Linux 8.9

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD openssl-1.1.1k-12.el8_9 Scenario 3A revalidation testing N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-7.el8_6 Active #4438

Red Hat Enterprise Linux 8.8

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL TBD openssl-1.1.1k-12.el8_8 Scenario 3A revalidation testing N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-7.el8_6 Active #4438
Kernel Cryptographic API TBD TBD Implementation Under Test N/A
NSS TBD nss-3.90.0-6.el8_8 Implementation Under Test N/A
GnuTLS gnutls-3.6.16-7.el8_8.3 Scenario 3A revalidation testing N/A

Red Hat Enterprise Linux 8.7

Cryptographic Module Module Version Associated Packages Validation Status Certificate
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-7.el8_6 Active #4438
GnuTLS rhel8.20220830 gnutls-3.6.16-5.el8_6 Active #4428

Tested on Red Hat Enterprise Linux 8 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z15, IBM POWER9 and IBM Power10

Red Hat Enterprise Linux 8.6

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20220323 openssl-1.1.1k-6.el8_5 Active #4642
OpenSSL TBD openssl-1.1.1k-12.el8_6 Scenario 3A revalidation testing N/A
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-7.el8_6 Active #4438
Kernel Cryptographic API kernel 4.18.0-372.52.1.el8_6, libkcapi 1.2.0-2.el8 kernel-4.18.0-372.52.1.el8_6, libkcapi-1.2.0-2.el8, libkcapi-hmaccalc-1.2.0-2.el8 Review Pending N/A
GnuTLS rhel8.20220830 gnutls-3.6.16-4.el8_6 Active #4428
NSS rhel8.20211124 nss-3.67.0-7.el8_5 Active #4458

Tested on Red Hat Enterprise Linux 8 running on Dell PowerEdge R440 with an Intel(R) Xeon(R) Silver 4216, IBM z15, IBM POWER9 and IBM Power10

Red Hat Enterprise Linux 8.5

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20220323 openssl-1.1.1k-6.el8_5 Active #4642
Libgcrypt rhel8.20210628 libgcrypt-1.8.5-6.el8 Updated N/A
Kernel Cryptographic API rhel8.20211004 kernel-4.18.0-348.el8 Active #4434
NSS rhel8.20210708 3.67.0-6.el8_4 Updated N/A
GnuTLS rhel8.20210628 gnutls-3.6.16-4.el8 Updated N/A


Red Hat Enterprise Linux 8.4

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel8.20210325 openssl-1.1.1g-15.el8_3 Active #4271
Libgcrypt rhel8.20200615 libgcrypt-1.8.5-4.el8 Active #4397
Kernel Cryptographic API rhel8.20210614 kernel-4.18.0-305.7.1.el8_4 Active #4384
GnuTLS rhel8.20210401 gnutls-3.6.14-8.el8_3 Active #4272
NSS rhel8.20201215 nss-3.53.1-17.el8_3 Active #4413


Red Hat Enterprise Linux 7.9

Cryptographic Module Module Version Associated Packages Validation Status Certificate
Kernel Cryptographic API rhel7.20210526 kernel-3.10.0-1160.31.1.el7 Active #3939


Red Hat Enterprise Linux 7.8

Cryptographic Module Module Version Associated Packages Validation Status Certificate
Kernel Cryptographic API rhel7.20200812 kernel-3.10.0-1127.19.1.el7 Active #3939


Red Hat Enterprise Linux 7.7

Cryptographic Module Module Version Associated Packages Validation Status Certificate
OpenSSL rhel7.20190409 openssl-1.0.2k-19.el7 Historical #3867
Kernel Cryptographic API rhel7.20200812 kernel-3.10.0-1127.19.1.el7 Active #3939
GnuTLS 7.0 gnutls-3.3.29-9.el7_6.x86_64.rpm Historical #3571
NSS rhel7.20190606 nss-softokn-3.44.0-5.el7 Active #4498
OpenSSH Server rhel7.20190626 openssh-7.4p1-21.el7 Historical #3891
OpenSSH Client rhel7.20190626 openssh-7.4p1-21.el7 Historical #3892
Libreswan rhel7.20190509 libreswan-3.25-4.8.el7_6 Historical #3563


Historical due to SP 800-56Arev3 transition - Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used but should not be included in new procurements.

FIPS 140-2 and 140-3 Certificates Archive - Historical or End Of Life releases list.

Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements. You can now apply STIG requirements with ease using the OpenSCAP tools and the scap-security-guide package for security policies. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST.

PRODUCT GUIDANCE STATUS
JBoss Enterprise Application Platform 5 NIST NVD checklist Draft
JBoss Enterprise Application Platform 6 DISA Released
Red Hat Enterprise Linux 6 DISA Released
Red Hat Enterprise Linux 7 DISA Released
Red Hat Enterprise Linux 8 DISA Released
Red Hat Enterprise Linux 9 DISA Released
Red Hat Openshift Container Platform 4 DISA Released

Criminal Justice Information Services (CJIS)

The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

PRODUCT GUIDANCE STATUS
Red Hat Enterprise Linux 7 NIST NVD checklist Final

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency and program-specific guidance.

PRODUCT CONTENT STATUS
Red Hat Enterprise Linux 5 NIST Draft
Red Hat Enterprise Linux 6 scap-security-guide In development
Red Hat Enterprise Linux 7 DRAFT Public Draft with NIST

USGv6-r1 TESTED PRODUCT LIST

Listing of USGv6-r1 tested devices for Red Hat, Inc.

PRODUCT RELEASE APPLICABILITY TEST SUITES SDOC
Red Hat Enterprise Linux 9.2 Red Hat Enterprise Linux for Real Time 9.2 Core Interoperability v1.4, Core Conformance v1.4, SLAAC Interoperability v1.4, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.2, IPsec Interoperability v1.0, IPsec Conformance v1.0 * Notes, IPsec-SHA-512 Interoperability v1.0, IPsec-SHA-512 Conformance v1.0 SDoc
Red Hat Enterprise Linux 9.0 Red Hat Enterprise Linux for Real Time 9.0 Core Interoperability v1.3, Core Conformance v1.3, SLAAC Interoperability v1.3, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.2, IPsec Interoperability v1.0, IPsec Conformance v1.0 * Notes, IPsec-SHA-512 Interoperability v1.0, IPsec-SHA-512 Conformance v1.0 SDoc
Red Hat Enterprise Linux 8.6 Red Hat Enterprise Linux for Real Time 8.6, Red Hat Enterprise Linux CoreOS (8.6 based), Red Hat OpenStack Platform 16.2, Red Hat Virtualization 4.4 SP1, OpenShift Container Platform 4.11 Core Interoperability v1.4, Core Conformance v1.4, SLAAC Interoperability v1.4, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.2 SDoc
Red Hat Enterprise Linux 8.4 Red Hat Enterprise Linux for Real Time 8.4, Red Hat Enterprise Linux CoreOS (8.4 based), Red Hat OpenStack Platform 16.2, Red Hat Virtualization 4.4.6, OpenShift Container Platform 4.8 Core Interoperability v1.2, Core Conformance v1.1, SLAAC Interoperability v1.2, SLAAC Conformance v1.0, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.0 SDoc

USGv6 TESTED PRODUCT LIST

Listing of USGv6 tested devices for Red Hat, Inc. Please see SDoc for * Notes.

PRODUCT RELEASE TEST SUITES SDOC
Red Hat Enterprise Linux 8.2 Basic Interoperability v1.2, Basic Conformance v1.3, SLAAC Interoperability v1.3, SLAAC Conformance v1.2, Addr Arch Interoperability v1.2, Addr Arch Conformance v1.3, ESP Interoperability v1.1 *Notes, ESP Conformance v1.1, IKEv2 Interoperability v2.0 *Notes, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2 *Notes, IPsecv3 Conformance v1.3 SDoc
Red Hat Enterprise Linux 7.1 Basic Interoperability v1.1, Basic Conformance v1.2, SLAAC Interoperability v1.2, SLAAC Conformance v1.1, Addr Arch Interoperability v1.1, Addr Arch Conformance v1.2, DHCPv6 Server Interoperability v1.0, ESP Interoperability v1.1, ESP Conformance v1.1, DHCPv6 Client Interoperability v1.0, DHCPv6 Client Conformance v1.0, IKEv2 Interoperability v2.0, IKEv2 Conformance v1.1 *Notes, IPsecv3 Interoperability v1.2, IPsecv3 Conformance v1.3 SDoc

For previous releases or more information, please consult the USGv6 Tested Registry page. Please see SDoc for * Notes.

SECTION 508

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Accessibility Conformance Reports below.

PRODUCT VERSION ACR
Ansible Core 2 Download
Ansible Tower 3 Download
Ansible Automation Platform 1.2 Download
Ansible Automation Platform 2 Download
Red Hat Enterprise Linux 4 Download
Red Hat Enterprise Linux 5 Download
Red Hat Enterprise Linux 6 Download
Red Hat Enterprise Linux 7 Download
Red Hat Enterprise Linux 8 Download
Red Hat Enterprise Linux 9.1 Download
Red Hat Satellite 5 Download
Red Hat Satellite 6 Download
Red Hat OpenStack 10 Download
Red Hat OpenStack 11 Download
Red Hat OpenStack 12 Download
Red Hat OpenShift 3 Download
Red Hat OpenShift 4.4 Download
Red Hat OpenShift 4.14 Download
Red Hat OpenShift Container Storage 4 Download
Red Hat CloudForms 4.6 Download
Red Hat CloudForms 4.7 Download
Red Hat CloudForms 5.0 Download
Red Hat Gluster Storage 3 Download
Red Hat Ceph Storage 2 Download
Red Hat Ceph Storage 4 Download
Red Hat Ceph Storage 5 Download
JBoss Enterprise Application Platform 6 Download
JBoss Enterprise Application Platform 7.1 Download
JBoss Enterprise Application Platform 7.2 Download
JBoss Enterprise Application Platform 7.3 Download
JBoss Enterprise Application Platform 7.4 Download
JBoss Enterprise Application Platform 8 Download
Red Hat Fuse 7 Download
Red Hat AMQ 7 Download
Red Hat 3scale API Management 2.7 Download
Red Hat Decision Manager 7.7 Download
Red Hat Process Automation Manager 7.7 Download
Red Hat Advanced Cluster Management for Kubernetes 2.0 Download
Red Hat Advanced Cluster Management for Kubernetes 2.1 Download
Red Hat Advanced Cluster Management for Kubernetes 2.2 Download
Red Hat Advanced Cluster Management for Kubernetes 2.6 Download

US ARMY CERTIFICATE OF NETWORTHINESS

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

  • All applications (including COTS)
  • All Government Off-the-Shelf (GOTS) software
  • All web services
  • Collaboration tools and services
  • Tactical systems
  • New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program. website.

FISMA

All federal agencies must comply with the Federal Information Security Management Act and Red Hat works to make that process as simple as possible. FISMA is not a product certification, rather an evaluation of the entire information system. Red Hat publishes configuration guidance for the NIST 800-53 controls that compromise FISMA Moderate. This is reflected in our USGCB baseline. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers and is not a product certification. Just like FISMA, USGCB content is a great place to start for compliance questions. You may also be interested in talking with your Red Hat account manager about our Certified Cloud Provider Program. Red Hat components have been used in FedRAMP certified offerings, such as:

CSRA's ARC-P Cloud:
Offers FedRAMP High certified IaaS and PaaS, based off Red Hat OpenStack Platform and Red Hat OpenShift v3. Details and certification packages can be found on the GSA FedRAMP Marketplace.

BlackMesh's Secure Cloud:
Offers FedRAMP Moderate certified PaaS, based off Red Hat OpenShift v3. Details and certification packages can be found on their GSA FedRAMP Marketplace.

ICD 503:
Red Hat has collaborated with the National Security Agency to release RHEL configuration guidance against ICD 503 and CNSSI 1253. This collaboration occurs in the OpenSCAP/SCAP Security Guide project, with profiles shipping natively in RHEL via the "CS2" baseline

NISPOM CHAPTER 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual.

HIPAA Overview

HIPAA refers to the US Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HIPAA is a United States federal law designed to protect the privacy and security of protected health information (PHI). Covered entities and business associates may ask Red Hat to act as a business associate (as defined by HIPAA) and Red Hat is prepared to act as a business associate with respect to the Red Hat HIPAA-Qualified Online Services offerings listed below. The customer is responsible for its own overall compliance with HIPAA, and it is the customer’s responsibility to understand, assess and comply with its applicable requirements. Please contact your Red Hat sales account representative to enter into a Red Hat Business Associate Agreement, if applicable.

HIPAA Implementation Guide

HIPAA Qualified Online Services
Red Hat OpenShift Dedicated, v. 4 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Service on AWS (ROSA) v. 4
Red Hat OpenShift Application Programming Interface (API) Manager (RHOAM), v. 1.0 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Data Foundation (RHODF), v. 4 (Only Customer Cloud Subscriptions*)
Red Hat OpenShift Data Science (RHODS), v. 1 (Only Customer Cloud Subscriptions*)

*These Red Hat HIPAA-Qualified Online Services are limited to “Customer Cloud Subscriptions” which means they are Red Hat Online Services where the customer separately purchases or procures the underlying hosting infrastructure services from a cloud provider.

Red Hat Security Declaration - DCMS Telecommunications Code of Practice

This document provides Red Hat security declaration in response to the DCMS Code of Practice Vendor Security Assessment request and an overview of Red Hat’s alignment with the published UK Telecommunications Security Act Code of Practice. This document details how Red Hat implements engineering and security best practices to ensure that we support and conform to the exacting demands for quality, transparency, and partnership of both the Government and the Telecommunications Sector within the UK.
Red Hat Security Declaration - DCMS Telecommunications Code of Practice

Trade Agreements Act (TAA)

The Trade Agreements Act (TAA) of 1979 was enacted to foster fair and open international trade. Under TAA, the products and/or services offered on your GSA Schedule contract are required to be only U.S. made or TAA designated country end products.

All commercial products sold in the U.S. are considered a U.S. made end product, a designated country end product, a Caribbean Basin country end product, a Canadian end product or a Mexican end product as defined in the clause entitled “Trade Agreements Act” FAR 52.225-5.

If you have any questions, please contact Legal at NAPS-Legal@redhat.com.

Red Hat Product Compliance Offerings Checker

Use Red Hat Product Compliance Offerings Checker to find more information about compliance activities and government standards for Red Hat's products not listed on this page.

Comments