Welcome to Red Hat

See what's happening near you

Learn what's happening for Red Hat customers around the world:

Industries

Government: Standards

Certifications and accreditation

Making certification and accreditation easier

Red Hat is committed to making your certification and accreditation process as easy as possible. The resources below should help you comply with a variety of government requirements.

Certifications

Product Release Level Protection profile Platform Status
JBoss® Enterprise Application Platform 4.3 EAL2 -- Evaluated
JBoss Enterprise Application Platform 5 EAL4+ -- Evaluated
Red Hat JBoss Enterprise Application Platform 6.2 EAL4+ -- Evaluated
MetaMatrix Data Services Platform 5.5.3 EAL2+ -- Evaluated
Red Hat Certificate System 6 EAL4+ CIMC Evaluated
Red Hat Certificate System 8.1 EAL4+ CIMC Evaluated
Red Hat Enterprise Linux 4 EAL3+ CAPP Evaluated
Red Hat Enterprise Linux 4 EAL4+ CAPP Evaluated
Red Hat Enterprise Linux 5 EAL4+ CAPP/RBACPP/LSPP Evaluated
Red Hat Enterprise Linux 5 EAL4+ with KVM virtualization Evaluated
Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules Evaluated
Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management Evaluated
Red Hat Enterprise Linux 6 EAL4+ 32-bit. OSPP, including Advanced Audit.
  • Northrop Grumman Payload Control Element (PCE) Server 309-C20213 (report, target)
Evaluated
Red Hat Enterprise Linux 7 EAL4+ OSPP v2.0: Evaluated, OSPP v3.9: In Evaluation
  • Dell PowerEdge 13G family of servers
  • Dell Precision Rack 7910
  • HP DL, BL, ML, and SL servers, generations G7, Gen8, and Gen9, with 64-bit Intel Xeon processors
  • HP DL, BL, ML, and SL servers, generations G7 and Gen8, with 64-bit AMD Opteron processors
  • IBM System z based on z/Architecture processors: zEnterprise EC12 (zEC12), zEnterprise BC12 (zBC12), zEnterprise 196 (z196), zEnterprise 114 (z114)
  • IBM System p based on Power 8 processors providing execution environments with RHEV for Power 3.6 and PowerVM: Big Endian with PowerVM: Power 835 model 8286-41A, Little Endian with RHEV for Power 3.6: Power 835 model 8284-22A
  • Certification Report (OSPP v2.0) [pdf]
  • Security Target (OSPP v2.0) [pdf]
OSPP v2.0: Evaluated, OSPP v3.9: In Evaluation

Federal Information Processing Standard 140-2 (FIPS 140-2)

Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.

Product Component Version Certificate Status
Red Hat Enterprise Linux 4 NSS 3.11.4 #815 Certified, Level 1
Red Hat Enterprise Linux 4 NSS 3.11.4 #814 Certified, Level 2
Red Hat Enterprise Linux 4 NSS (Freebl) 3.12.4 #1293 Certified, Level 1
Red Hat Enterprise Linux 4 NSS 3.12.4 #1280 Certified, Level 2
Red Hat Enterprise Linux 5 Kernel Cryptographic API 1.0 #1387 Certified, Level 1
Red Hat Enterprise Linux 5 libgcrypt 1.0 #1305 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #815 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #814 Certified, Level 2
Red Hat Enterprise Linux 5 NSS (Freebl) 3.12.4 #1293 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.12.4 #1280 Certified, Level 2
Red Hat Enterprise Linux 5 OpenSSH Client 1.0 #1385 Certified, Level 1
Red Hat Enterprise Linux 5 OpenSSH Server 1.0 #1384 Certified, Level 1
Red Hat Enterprise Linux 5 OpenSSL 1.0 #1320 Certified, Level 1
Red Hat Enterprise Linux 5 Openswan 1.0 #1386 Certified, Level 1
Red Hat Enterprise Linux 6 Kernel Cryptographic API 2.0 #1901 Certified, Level 1
Red Hat Enterprise Linux 6 Disk Volume Cryptographic API 2.0 #1933 Certified, Level 1
Red Hat Enterprise Linux 6 libgcrypt 2.0 #1757 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Client 2.0 #1791 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Server 2.0 #1792 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSL 2.0 #1758 Certified, Level 1
Red Hat Enterprise Linux 6 Openswan 2.0 #1859 Certified, Level 1
Red Hat Enterprise Linux 6 NSS (Freebl) 3.12.9.1 #1710 Certified, Level 1
Red Hat Enterprise Linux 6 NSS 3.12.9.1 #1837 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSL 3.0 #2441 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Server 3.0 #2446 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Client 3.0 #2447 Certified, Level 1
Red Hat Enterprise Linux 6 NSS 3.14.3-22 #2564 Certified, Level 2
Red Hat Enterprise Linux 6 Kernel Cryptographic API 3.0 #2582 Certified, Level 1
Red Hat Enterprise Linux 7 OpenSSL 4.0 #2441 Certified, Level 1
Red Hat Enterprise Linux 7 OpenSSH Server 4.0 #2630 Certified, Level 1
Red Hat Enterprise Linux 7 OpenSSH Client 4.0 #2633 Certified, Level 1
Red Hat Enterprise Linux 7 libgcrypt 4.0 #2657 Certified, Level 1
Red Hat Enterprise Linux 7 NSS 4.0 #2711 Certified, Level 1
Red Hat Enterprise Linux 7 Libreswan 4.0 #2721 Certified, Level 1
Red Hat Enterprise Linux 7 Kernel Cryptographic API 4.0 #2742 Certified, Level 1
Red Hat Enterprise Linux 7 Kernel Cryptographic API with CPACF 4.0 #2798 Certified, Level 1
Red Hat Enterprise Linux 7 GnuTLS 4.0 #2780 Certified, Level 1

USGv6 (DOD IPv6)

Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements.

IPv6 Ready logo phase 2

RHEL 5.3 or later RHEL 6.0 or later
Core Protocols: Host Certified Certified
Core Protocols: Router Certified
IPsec: End-Node Certified Certified
SNMP: Agent-Host Certified
DHCPv6: Server Certified

US government version 6 (USGv6) tested product list*

RHEL 5.6 or later RHEL 6.0 or later
Basic (Conf: v1.2, IOP: v1.1) Certified Certified
SLAAC (Conf: v1.1, IOP: v1.1) Certified Certified
Addr Arch (Conf: v1.2, IOP: v1.1) Certified Certified
ESP (Conf: v1.0, IOP: v1.1) Certified
IKEv2 (Conf: v1.1, IOP: v2.0) Certified
IPSECv3 (Conf: v1.2, IOP: v1.2) Certified

* Listing of USGv6 tested devices for Red Hat, Inc.

DISA Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements.

Product Guidance Status
JBoss Enterprise Application Platform 4 -- --
JBoss Enterprise Application Platform 5 The NIST NVD JBoss checklist is the basis of the future STIG. Draft. See the "SCAP Security Guide" section.
Red Hat JBoss Enterprise Application Platform 6 -- In development. See the "SCAP Security Guide" section.
Red Hat Enterprise Linux 4 Use the RHEL 5 draft guidance. Either guidance will require additional work. Final
Red Hat Enterprise Linux 5 http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx Draft
Red Hat Enterprise Linux 6 -- See the "SCAP Security Guide" section.

Federal Information Security Management Act (FISMA)

All federal agencies must comply with FISMA, and Red Hat works to make that process as simple as possible. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers. Just like FISMA, USGCB is a great place to start for compliance questions. You may also be interested in talking with Red Hat about our Certified Cloud Provider Program.

ICD 503 / NSSI 1253, DOD Instruction 8500.2

Intelligence Community Directive 503 describes a system for accrediting national security systems. Similarly, DOD Instruction 8500.2 describes the requirements for defense systems. Guidance on meeting ICD 503 (and therefore NIST 800-53) can be found in the SCAP-Security-Guide project.

NISPOM Chapter 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual (NISPOM) Chapter 8 Knowledgebase article.

Section 508 accessibility

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.

Product Version VPAT
Red Hat Enterprise Linux 4 VPAT for RHEL 4
Red Hat Enterprise Linux 5 VPAT for RHEL 5
Red Hat Enterprise Linux 6 VPAT for RHEL 6
Red Hat Enterprise Linux 7 VPAT for RHEL 7
Red Hat Network Satellite Server 5 VPAT for RHN Satellite Server 5
Red Hat Network Satellite Server 6 VPAT for RHN Satellite Server 6
Red Hat JBoss Enterprise Application Platform 6 VPAT for JBoss EAP 6.0
Red Hat OpenShift 3 Red Hat OpenShift 3
Red Hat CloudForms 3 Red Hat CloudForms 3
Red Hat Gluster Storage 3 Red Hat Gluster Storage 3

US Army Certificate of Networthiness

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

  • All applications (including COTS)
  • All Government Off-the-Shelf (GOTS) software
  • All web services
  • Collaboration tools and services
  • Tactical systems
  • New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency- and program-specific guidance.

Product Content Status
Red Hat Enterprise Linux 5 USGCB content and configuration tools are available from NIST. Draft
Red Hat Enterprise Linux 6 Content is being actively developed in the Fedora scap-security-guide project. In development

Secure Content Automation Protocol (SCAP)

SCAP is a machine-readable set of configuration requirements. You can provide SCAP content to SCAP tools, which will audit your systems for compliance. The OpenSCAP tool ships with Red Hat Enterprise Linux 5 and 6, and you can find our SCAP content listed in the US Government Configuration Baseline section of this page.

Open Vulnerability and Assessment Language (OVAL)

OVAL is a security standard that helps describe security vulnerabilities in a uniform way. Red Hat helped found the standard in 2002, and our Red Hat Product Security team produces OVAL content for all of Red Hat's security advisories. For more information, please see the Red Hat Product Security's OVAL FAQ.

Common Vulnerability Enumeration (CVE)

CVE provides a common identifier for known flaws in software. The CVE database is administered by MITRE. If a CVE is issued for Red Hat products, we will include a vendor statement, which provides information on how to fix that vulnerability. For more information, please see How do I know if a CVE name affects a Red Hat Enterprise Linux package? in the Red Hat Customer Portal.

Information Assurance Vulnerability Alerts (IAVA)

IAVAs are similar to CVEs and provide instructions to DOD personnel on securing their systems. You may find DISA's IAVM-to-CVE mapping very helpful.

Projects

Projects of interest

OpenSCAP
OpenSCAP is a tool for running SCAP content. The project is the upstream for the openscap tool that ships in Red Hat Enterprise Linux.
SCAP Workbench
The SCAP Workbench provides a simpler interface for creating and editing SCAP content.
scap-security-guide
scap-security-guide is an combined effort between Red Hat, our customers, and a number of government agencies to develop a common, manageable set of SCAP content for Red Hat Enterprise Linux. The project is actively working on USGCB content for Red Hat Enterprise Linux 6. You can use this content with a tool like OpenSCAP to audit your systems or transform the content into formal security-hardening documentation. Our ambition is for this guidance to form the basis of the RHEL 6 SRG (STIG) for the DOD.
Aqueduct
Aqueduct is a Red Hat-sponsored project to create a common pool of bash scripts and puppet manifests that can be applied to many different security regimes at once. So, for instance, code to ensure a minimum password length can be used on either a DISA STIG requirement or a SAS-70 requirement. They are famous for their STIG a RHEL box in 5 minutes guide.
Certifiable Linux Implementation Platform (CLIP)
The CLIP tool, a project of Tresys, makes it simple to reconfigure machines to meet a variety of certification and accreditation regimes.

Communities

Communities that can help

gov-sec
The Red Hat-sponsored gov-sec community is a moderated mailing list for US government security professionals.
Military Open Source Working Group
Mil-OSS is a community of open source enthusiasts in the DOD. It is not affiliated with Red Hat in any way, but many Red Hat folks are active members. If you are interested in any of the information on this page, there's a good chance you'll enjoy this group. You can find more information on the Mil-OSS website.
Customer Portal
Red Hat customers have access to a great deal of security information, bulletins, and Knowledgebase articles through the Red Hat Customer Portal.
Your Red Hat account team
We're here to help, not just sell you things. Feel free to ask your local account executive or solutions architect if you have any questions about security, compliance, or configuration requirements.

Common Criteria

Common Criteria is an internationally recognized certification for information assurance products

FAQs

What is Common Criteria?

Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Established by governments, the Common Criteria Recognition Arrangement has been signed by 26 countries, and each country recognizes the other's certifications.

In the U.S., Common Criteria is handled by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities. Each authority certifies CC labs, which do the actual work of evaluating products. Once certified by the authority, based on the evidence from the lab and the vendor, that certification is recognized globally.

Your certification is given a particular assurance level which, roughly speaking, represents the strength of the certification. Confidence is higher at a level EAL4 than at EAL2 for a certification. Attention is usually given to the assurance level, instead of what, specifically, you're being assured of, which is the protection profiles.

CC certification represents a very specific set of software and hardware configurations. Software versions and hardware model and version is important as differences will break the certification.

Read more FAQs