From FIPS 140-3 to Common Criteria to DISA STIGs, Red Hat is constantly pursuing the next iteration of compliance for our customers. Red Hat’s mission has long been to bring community innovation to enterprise organizations, packaged in a hardened, production-ready form. This isn’t just about packaging and testing, however; we take extra steps to bring these emerging capabilities in-line with some of the most stringent secure computing standards and requirements in the world. Innovation by itself isn’t enough for public sector agencies or the companies that serve these organizations. Instead, open innovation must be paired with a proven commitment driving security-enhanced computing.
This isn’t a one-off effort for Red Hat, nor do we only pursue a single validation at a time. We consider standards compliance as a continuum, with dozens of efforts in flight at any given time. These pursuits take months, if not years, to achieve, especially as platforms grow in complexity and scope. With so many compliance efforts active, we wanted to provide a snapshot of some of these key projects to highlight our continued commitment to enabling secure, compliant computing in the public sector.
Common Criteria
A globally accepted standard, Common Criteria provides assurance that the processes around an IT product, from vendor claims to testing, prove that it truly does meet the needs of security-conscious computing. Red Hat Enterprise Linux (RHEL), the world’s leading enterprise Linux platform, forms the foundation of our Common Criteria efforts. Both RHEL 8.6 and RHEL 9.0 are now certified for Common Criteria, and are posted on the NIAP Product Compliant List. We are currently in the process of planning the next RHEL release to receive Common Criteria certification. We are also extending the hardware platforms that we use for Common Criteria validation by adding IBM Z15 to our RHEL 8.6 certification and IBM Z16 and IBM Power 10 for RHEL 9.0 certification.
Federal Information Processing Standards (FIPS)
FIPS 140-2 and 140-3 provide validation that the cryptographic tools in a given piece of software are implementing their respective algorithms properly. Because many Red Hat products use the same cryptographic binaries, a single certification can carry through to other Red Hat products and product versions with an unmodified binary. Given the wide range of choices that our customers have with RHEL, we will continue to submit versions of both RHEL 8 and RHEL 9 for FIPS review.
For RHEL 8, we also remain committed to both FIPS 140-2 and FIPS 140-3 evaluations, as FIPS 140-2 will continue to be viable until September 21, 2026. The RHEL 8.6 OpenSSL certificate has been issued, and IBM z15, IBM Power 9 and IBM Power 10 have been added as validated hardware for RHEL 8 FIPS certifications. We plan to continue with RHEL 8.8 for FIPS evaluation in the near future, including the update of RHEL 8.6 OpenSSL module.
With RHEL 9, we are focusing on FIPS 140-3. RHEL 9.0 is on the Modules In Process list, while RHEL 9.2 is either on the Implementation Under Test list or submitted and already on the Modules In Process list.
USGv6
USGv6 is the National Institute of Standards and Technology cross-agency effort to provide underlying processes, tools, measurement and more for IPv6 adoption in the U.S. federal government. Even though IPv6 is not specifically a security compliance standard for the US federal government, we are fully committed to achieving this. Both RHEL 8.6 and RHEL 9.0 listed on the USGv6-r1 Product Registry. Our plan is to continue on this listing with both RHEL 8.8 and RHEL 9.2.
DISA STIG
The Defense Information Systems Agency (DISA) provides Secure Technical Implementation Guides (STIGs) for IT components used in sensitive or security-forward computing operations in U.S. federal government and defense agencies. STIGs are an important part of maintaining a more secure IT landscape, and we’re pleased to highlight that DISA published the STIGs for Red Hat Enterprise Linux 9, Red Hat OpenShift, and Red Hat Ansible Automation Platform in 2023. Formal release of this guidance enables customers to begin production deployments of these solutions in sensitive IT environments.
Building towards the next-generation of IT security standards and compliance doesn’t stop at Red Hat. Behind the scenes, we’re constantly testing, analyzing and assessing our code above and beyond the already extensive hardening we do across our hybrid cloud portfolio. Security isn’t a point in time concept for Red Hat, and our work here shows our continued commitment to delivering technologies that comply with an incredibly broad set of critical regulations.
About the author
Tara is a security compliance and risk management enthusiast, working across the organization and with partners to identify and control security risk. Tara joined Red Hat and the private sector in February 2020, after gaining experience as a 10-year federal civilian employee, most recently serving as the Cybersecurity Director and Command Information Security Officer (CISO) for Naval Facilities and Engineering Command (NAVFAC) in Washington, D.C. She has earned academic degrees from the U.S. Naval Academy and the National Defense University. Tara currently resides in Colorado with her husband and daughter where they enjoy their mini farm with dogs, chickens and dwarf goats.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit