Government standards

On this page:

Certifications  |  Requirements  |  Standards  |  Projects  |  Communities that can help

Certifications

Common Criteria

Common Criteria is an internationally recognized certification for information assurance products.

FAQs

Can I use a product if it's "in evaluation"?
Under NSTISSP #11, government customers must prefer products that have been certified using a US-approved protection profile. Failing that, you can use something certified under another profile. Failing that, you must ensure that the product is in evaluation. You can find a helpful explanation of the process here.

We've been through the Common Criteria process many times, so "in evaluation" is less uncertain than it might sound. When we're in evaluation, we're confident that we'll eventually receive the certification. It's just a matter of time. If you have any trouble getting a product approved while it's in evaluation, we'd be happy to speak with your DAA.

I'm worried about the timing of the certification. I need to deploy today!
Red Hat makes it as easy as possible for you to use the version of Red Hat Enterprise Linux® that you're comfortable with. A subscription lets you use any version of the product as long as you have a current subscription. So you can buy a subscription today, field on a currently certified version, and move to a more recent version once it's certified—at no cost.

Why can't I find your certification on the NIAP website?
Red Hat Enterprise Linux 6 was certified by BSI under OS Protection Profile at EAL4+. This is equivalent to certifying under NIAP under the Common Criteria mutual recognition treaties. More information on mutual recognition can be found on the CCRA web site. That site includes a list of the member countries that recognize one another's evaluations.

Certifications

Federal Information Processing Standard 140-2 (FIPS 140-2)

Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.

USGv6 (DOD IPv6)

Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements. More information is available at Red Hat's IPv6 pages.

1. IPv6 Ready Logo Phase 2 website
2. Listing of USGv6 tested devices for Red Hat, Inc.

Requirements

DISA Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements.

Federal Information Security Management Act (FISMA)

All federal agencies must comply with FISMA, and Red Hat works to make that process as simple as possible. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers. Just like FISMA, USGCB is a great place to start for compliance questions. You may also be interested in talking with Red Hat about our Certified Cloud Provider Program.

ICD 503 / NSSI 1253, DOD Instruction 8500.2

Intelligence Community Directive 503 describes a system for accrediting national security systems. Similarly, DOD Instruction 8500.2 describes the requirements for defense systems. Guidance on meeting ICD 503 (and therefore NIST 800-53) can be found in the SCAP-Security-Guide project.

NISPOM Chapter 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual (NISPOM) Chapter 8 Knowledgebase article.

Section 508 accessibility

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessiblity Templates below.

US Army Certificate of Networthiness

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

• All applications (including COTS)
• All Government Off-the-Shelf (GOTS) software
• All web services
• Collaboration tools and services
• Tactical systems
• New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).

Standards

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency- and program-specific guidance.

Secure Content Automation Protocol (SCAP)

SCAP is a machine-readable set of configuration requirements. You can provide SCAP content to SCAP tools, which will audit your systems for compliance. The OpenSCAP tool ships with Red Hat Enterprise Linux 5 and 6, and you can find our SCAP content listed in the US Government Configuration Baseline section of this page.

Open Vulnerability and Assessment Language (OVAL)

OVAL is a security standard that helps describe security vulnerabilities in a uniform way. Red Hat helped found the standard in 2002, and our Security Response Team produces OVAL content for all of Red Hat's security advisories. For more information, please see the Red Hat Security Response Team's OVAL FAQ.

Common Vulnerability Enumeration (CVE)

CVE provides a common identifier for known flaws in software. The CVE database is administered by MITRE. If a CVE is issued for Red Hat products, we will include a vendor statement, which provides information on how to fix that vulnerability. For more information, please see How do I know if a CVE name affects a Red Hat Enterprise Linux package? in the Red Hat Customer Portal.

Information Assurance Vulnerability Alerts (IAVA)

IAVAs are similar to CVEs and provide instructions to DOD personnel on securing their systems. You may find DISA's IAVM-to-CVE mapping very helpful.

Projects

OpenSCAP

OpenSCAP is a tool for running SCAP content. The project is the upstream for the openscap tool that ships in Red Hat Enterprise Linux.

SCAP Workbench

The SCAP Workbench provides a simpler interface for creating and editing SCAP content.

scap-security-guide

scap-security-guide is an combined effort between Red Hat, our customers, and a number of government agencies to develop a common, managable set of SCAP content for Red Hat Enterprise Linux. The project is actively working on USGCB content for Red Hat Enterprise Linux 6. You can use this content with a tool like OpenSCAP to audit your systems or transform the content into formal security-hardening documentation. Our ambition is for this guidance to form the basis of the RHEL 6 SRG (STIG) for the DOD.

Aqueduct

Aqueduct is a Red Hat-sponsored project to create a common pool of bash scripts and puppet manifests that can be applied to many different security regimes at once. So, for instance, code to ensure a minimum password length can be used on either a DISA STIG requirement or a SAS-70 requirement. They are famous for their STIG a RHEL box in 5 minutes guide.

Certifiable Linux Implementation Platform (CLIP)

The CLIP tool, a project of Tresys, makes it simple to reconfigure machines to meet a variety of certification and accreditation regimes.

Communities that can help

gov-sec

The Red Hat-sponsored gov-sec community is a moderated mailing list for US government security professionals.

Military Open Source Working Group

Mil-OSS is a community of open source enthusiasts in the DOD. It is not affiliated with Red Hat in any way, but many Red Hat folks are active members. If you are interested in any of the information on this page, there's a good chance you'll enjoy this group. You can find more information on the Mil-OSS website.

Customer Portal

Red Hat customers have access to a great deal of security information, bulletins, and Knowledgebase articles through the Red Hat Customer Portal.

Your Red Hat Account Team

We're here to help, not just sell you things. Please feel free to ask your local account executive or solutions architect if you have any questions about security, compliance, or configuration requirements.