Red Hat achieves FIPS 140-2 re-certification for Red Hat Enterprise Linux 7

Red Hat Inc., provider of open source solutions, announced on Monday that Red Hat Enterprise Linux 7 has renewed and expanded the Federal Information Processing Standard 140-2 (FIPS 140-2) security certifications from the National Institute of Standards and Technology (NIST).

FIPS 140-2 is a computer security standard that specifies the requirements for cryptographic modules — including both hardware and software components — used within a security system to protect sensitive, but unclassified information.

FIPS 140-1 became a mandatory standard for the protection of sensitive data when the Secretary of Commerce signed the standard on January 11, 1994. FIPS 140-2 supersedes FIPS 140-1 and the standard was signed on May 25, 2001.

FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.

With the passage of the Federal Information Security Management Act (FISMA) of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory FIPS. The waiver provision had been included in the Computer Security Act of 1987; however, FISMA supersedes that Act. Therefore, the references to the “waiver process” contained in many of the FIPS listed below are no longer operative.

Historically, software operating on a FIPS 140-2 certified system did not automatically inherit the cryptography certifications of the base operating system. With this certification, Red Hat becomes the initial vendor to provide assurance that its integrated solutions that incorporate Red Hat Enterprise Linux will retain the FIPS 140-2 certification.

These solutions include, but are not limited to, Red Hat Ceph Storage, Red Hat CloudForms, Red Hat Enterprise Linux Atomic Host, Red Hat Gluster Storage, Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Satellite and Red Hat Virtualization.

Red Hat Enterprise Linux 7 has achieved FIPS 140-2 re-certification for various modules including GnuTLS Cryptographic Module, Kernel Cryptographic API, Libgcrypt Cryptographic Module, Libreswan Cryptographic Module, NSS Cryptographic Module, OpenSSH Client Cryptographic Module, OpenSSH Server Cryptographic Module and OpenSSL Cryptographic Module.

The certified modules retain FIPS 140-2 certification on hardware configurations including Dell PowerEdge R630 with Processor Algorithm Accelerators (PAA) and Dell PowerEdge R630 without PAA.

FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to rigorous testing by independent Cryptographic and Security Testing Laboratories, accredited by NIST.

The validation for Red Hat Enterprise Linux 7.4 was performed by the atsec information security corporation’s Cryptographic and Security Testing Laboratory in Austin, Texas. Atsec is an independent, internationally recognized organization with experience in IT security standards.

“Confidence that sensitive information is kept secure is of critical importance to every level of government, and a responsibility that Red Hat does not take lightly,” said Paul Smith, senior vice president and general manager, U.S. Public Sector, Red Hat. “We have a long history of providing the U.S. government with robust enterprise open source solutions with strong security capabilities and we are continuing to lead the way with this latest certification. With this announcement, we are pleased to be the first to offer the federal government a NIST validated cryptography that encompasses both the operating system and the layered infrastructure support.”

Leave a Reply

WWPI – Covering the best in IT since 1980