United States (change)
Shortcuts: Downloads Fedora Red Hat Network
JBoss Enterprise Application Platform, 4.3 has achieved Common Criteria certification at Evaluation Assurance Level (EAL) 2+ (augmented for flaw remediation). This marks the first Common Criteria certification for JBoss Enterprise Middleware, giving government agencies and other security-conscious organizations a new choice for enterprise Java applications. JBoss Enterprise Application Platform 4.3 is Red Hat's premiere Java application platform solution which also forms the foundation for JBoss Enterprise Portal Platform, JBoss EnterpriseService Oriented Architecture (SOA) Platform, and is included with JBoss Enterprise Business Rules Management System (BRMS). Customers can now deploy JBoss Enterprise Application Platform 4.3 with the added confidence that they meet the security standards set forth through Common Criteria. Read More.
Red Hat is committed to providing secure and stable software that can be easily used in security-sensitive environments. Red Hat's enterprise software includes extensive security tools and features.
Red Hat Enterprise Linux is the most certified operating system available today. Through its history, Red Hat Enterprise Linux has passed the Common Criteria process 12 times on four different hardware platforms. Red Hat Enterprise Linux 5 has even received Common Criteria certification at Enterprise Assurance Level 4 (EAL 4+) under the Controlled Access Protection Profile (CAPP), Label Security Protection Profile (LSPP) and the Role-Based Access Control Protection Profile (RBACPP), providing a level of security and a feature set that was previously unheard-of from a mainstream operating system.
Red Hat's JBoss Enterprise Middleware solutions include support for common middleware security standards. Additionally, JBoss Enterprise Application Platform is the only open source application server to seek Common Criteria certification (EAL 2+) and certification for MetaMatrix Data Services Platform is currently underway.
RHEL 5.2 is now officially on the DISA Approved Products Lists for IPv6. The Department of Defense has mandated that IT systems move towards IPv6 while maintaining IPv4 (the currently more common network stack) for compatibility. Only 4 operating systems, including RHEL, have gone through the certification process: Vista, Solaris 10, SLES 10 SP2, and RHEL 5.2. For more information, go to: http://jitc.fhu.disa.mil/apl/ipv6.html#apl.
For US Department of Defense customers, Red Hat Government can provide simple tools to meet the DISA STIG requirements. Red Hat can also provide simple DCID 6/3 compliance tools for intelligence customers.
US government and contractors may be interested in the Red Hat Government Security mailing list, a moderated forum for Red Hat users in the information assurance and certification/accreditation community: https://www.redhat.com/mailman/listinfo/gov-sec
Red Hat provides a number of security-specific courses, and also provides a formal certification program for systems engineers working in the security field. For more information about the Red Hat Certified Security Specialist (RHCSS) certification, visit https://www.redhat.com/training/security/courses/.
Red Hat has cleared representatives and engineers available for both pre-sales help and consulting engagements.
Red Hat Certificate System was acquired from AOL three years ago as part of the Netscape technology acquisition. Read more.
Red Hat Enteprise Linux has been used in systems from Protection Level 3 (PL3) up to PL5. For more information, please speak with your Red Hat account representative.
Red Hat Enterprise Linux can easily meet the requirements of the DISA STIGs. The Red Hat Government group has implementation tools that can help. Please contact your local Red Hat representative.
Red Hat Enterprise Linux provides out-of-the-box compliance with the NISPOM Chapter 8 audit requirements. A sample implementation can be found in /usr/doc/audit-1.5.2/nispom.rules in Red Hat Enterprise Linux versions 4 and 5.
In Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5, Red Hat provides FIPS 140-2 certified cryptography through the Network Security Services (NSS) libraries. These libraries are certified to Level 1 and Level 2. The original certification is http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt815.pdf and ongoing validation compliance is affirmed by Red Hat in accordance with the FIPS 140-2 Implementation Guidance, G.5.
All the NSS code that is subject to FIPS 140 guidelines and that was FIPS validated is in a shared library module called the "Soft Token" (/usr/lib/libsoftokn3.so on RHEL). The Soft Token module that was submitted to NIST and FIPS validated was version 3.11.4. NSS 3.11.4, NSS 3.11.5, and NSS 3.11.7 all include Soft Token 3.11.4.
Red Hat has been a leader in adopting standards like CVE and OVAL which help customers identify and assess security vulnerabilities. For example, each Red Hat Errata includes both CVE references and OVAL data. You can find the OVAL documents for Red Hat Enterprise Linux 3, 4, and 5 at the Red Hat OVAL site.
In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology accessible to people with disabilities. Inaccessible technology interferes with an individual's ability to obtain and use information quickly and easily. Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508, agencies must give disabled employees and members of the public access to information that is comparable to the access available to others unless an undue burden would be imposed on the agency.
Section 508 sets standards and requirements for the following types of products: software applications, operating systems, web-based Intranet and Internet information and applications, telecommunications products, video and multimedia products, self contained, closed products, desktop and portable computers.
Federal Agencies are responsible for Section 508 compliance. Red Hat is assisting the government by providing information about 508 functionality and services through self-assessments. The results of these self-assessments including information relating to "Assistive Technology" are detailed in Voluntary Product Accessibility Templates ("VPAT").
