Is Red Hat OpenShift Container Platform compliant with IEC 62443-SL3

Solution Verified - Updated -

Environment

  • Red Hat Openshift Container Platform 4.x

Issue

  • Is Red Hat OpenShift Container Platform meets the security specifications of IEC 62443-SL3 regulatory or security framework?

Resolution

  • Red Hat usually does not provide certification for platforms, since it depends on how customers are deploying the software in the field although Red Hat can help in the certification process with Compliance Operator and Red Hat Advanced Cluster Security compliance module using the existing standard profile like FedRAMP, PCI-DSS and CIS Benchmark.

  • Products generally cannot be certified for individual frameworks, instead individual deployments are certified.

  • The majority of regulatory frameworks include both technical controls and process controls. Process controls include items such as people management (screening), upgrade management, management of security information and event (SIEM) systems, and many more.

    • For Self-managed Red Hat OpenShift Container Platform, these processes are provided by the customers and are outside of Red Hat’s controls however customers can use the Compliance Operator to check for compliance with applicable controls for the specific standard.
      Note: Standards are often written for general purposes and are not technology specific. Here applicable controls means technical controls which can be addressed with Red Hat Openshift Container Platform or Red Hat CoreOS configurations. Once applicable technical controls are identified, those can often be audited by a Compliance Operator profile.

    • For Red Hat managed services, Service's team is responsible for the majority of such processes and works with outside auditing firms to ensure those processes meets the requirements of specific frameworks.

NOTE: Common Criteria certification is an exception and can be applied to a specific version of a specific product. However, the Common Criteria process takes too long and so only RHEL for Common Criteria certification is submitted. If Red Hat Openshift Container Platform for Common Criteria certification is submitted, Then the version of Openshift would likely be out of support by the time certification is received.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments