Bridging innovation and standards compliance: Red Hat’s drive towards the next-generation of government computing standards

From FIPS 140-3 to Common Criteria to DISA STIGs, Red Hat is constantly pursuing the next iteration of compliance for our customers. Red Hat’s mission has long been to bring community innovation to enterprise organizations, packaged in a hardened, production-ready form. This isn’t just about packaging and testing, however; we take extra steps to bring these emerging capabilities in-line with some of the most stringent secure computing standards and requirements in the world. Innovation by itself isn’t enough for public sector agencies or the companies that serve these organizations. Instead, open innovation must be paired with a proven commitment driving security-enhanced computing.

This isn’t a one-off effort for Red Hat, nor do we only pursue a single validation at a time. We consider standards compliance as a continuum, with dozens of efforts in flight at any given time. These pursuits take months, if not years, to achieve, especially as platforms grow in complexity and scope. With so many compliance efforts active, we wanted to provide a snapshot of some of these key projects to highlight our continued commitment to enabling secure, compliant computing in the public sector.

Common Criteria

A globally accepted standard, Common Criteria provides assurance that the processes around an IT product, from vendor claims to testing, prove that it truly does meet the needs of security-conscious computing. Red Hat Enterprise Linux (RHEL), the world’s leading enterprise Linux platform, forms the foundation of our Common Criteria efforts. Both RHEL 8.6 and RHEL 9.0 are now certified for Common Criteria, and are posted on the NIAP Product Compliant List. We are currently in the process of planning the next RHEL release to receive Common Criteria certification. We are also extending the hardware platforms that we use for Common Criteria validation by adding IBM Z15 to our RHEL 8.6 certification and IBM Z16 and IBM Power 10 for RHEL 9.0 certification.

Federal Information Processing Standards (FIPS)

FIPS 140-2 and 140-3 provide validation that the cryptographic tools in a given piece of software are implementing their respective algorithms properly. Because many Red Hat products use the same cryptographic binaries, a single certification can carry through to other Red Hat products and product versions with an unmodified binary. Given the wide range of choices that our customers have with RHEL, we will continue to submit versions of both RHEL 8 and RHEL 9 for FIPS review.

For RHEL 8, we also remain committed to both FIPS 140-2 and FIPS 140-3 evaluations, as FIPS 140-2 will continue to be viable until September 21, 2026. The RHEL 8.6 OpenSSL certificate has been issued, and IBM z15, IBM Power 9 and IBM Power 10 have been added as validated hardware for RHEL 8 FIPS certifications. We plan to continue with RHEL 8.8 for FIPS evaluation in the near future, including the update of RHEL 8.6 OpenSSL module.

With RHEL 9, we are focusing on FIPS 140-3. RHEL 9.0 is on the Modules In Process list, while RHEL 9.2 is either on the Implementation Under Test list or submitted and already on the Modules In Process list.

USGv6

USGv6 is the National Institute of Standards and Technology cross-agency effort to provide underlying processes, tools, measurement and more for IPv6 adoption in the U.S. federal government. Even though IPv6 is not specifically a security compliance standard for the US federal government, we are fully committed to achieving this. Both RHEL 8.6 and RHEL 9.0 listed on the USGv6-r1 Product Registry. Our plan is to continue on this listing with both RHEL 8.8 and RHEL 9.2.

DISA STIG

The Defense Information Systems Agency (DISA) provides Secure Technical Implementation Guides (STIGs) for IT components used in sensitive or security-forward computing operations in U.S. federal government and defense agencies. STIGs are an important part of maintaining a more secure IT landscape, and we’re pleased to highlight that DISA published the STIGs for Red Hat Enterprise Linux 9, Red Hat OpenShift, and Red Hat Ansible Automation Platform in 2023. Formal release of this guidance enables customers to begin production deployments of these solutions in sensitive IT environments.

Building towards the next-generation of IT security standards and compliance doesn’t stop at Red Hat. Behind the scenes, we’re constantly testing, analyzing and assessing our code above and beyond the already extensive hardening we do across our hybrid cloud portfolio. Security isn’t a point in time concept for Red Hat, and our work here shows our continued commitment to delivering technologies that comply with an incredibly broad set of critical regulations.