Red Hat is committed to making your certification and accreditation process as easy as possible. The resources below should help you comply with a variety of government requirements.
|JBoss® Enterprise Application Platform||4.3||EAL2||--||Evaluated|
|JBoss Enterprise Application Platform||5||EAL4+||--||Evaluated|
|Red Hat JBoss Enterprise Application Platform||6.2||EAL4+||--||In Evaluation (ID #BSI-DSZ-CC-0909) Q1 CY14|
|MetaMatrix Data Services Platform||5.5.3||EAL2+||--||Evaluated|
|Red Hat Certificate System||6||EAL4+||CIMC||Evaluated|
|Red Hat Certificate System||8.1||EAL4+||CIMC||Evaluated|
|Red Hat Enterprise Linux||4||EAL3+||CAPP||Evaluated|
|Red Hat Enterprise Linux||4||EAL4+||CAPP||Evaluated|
|Red Hat Enterprise Linux||5||EAL4+||CAPP/RBACPP/LSPP||Evaluated|
|Red Hat Enterprise Linux||5||EAL4+||with KVM virtualization||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||OSPP, including Labeled Security, Advanced Audit, Advanced Management||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||32-bit. OSPP, including Advanced Audit.||Evaluated|
|Red Hat Enterprise Linux||7||EAL4+||OSPP v2.0, OSPP v3.9||
||In Evaluation (ID #BSI-DSZ-CC-0949)|
Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.
|Red Hat Enterprise Linux 4||NSS||3.11.4||#815||Certified, Level 1|
|Red Hat Enterprise Linux 4||NSS||3.11.4||#814||Certified, Level 2|
|Red Hat Enterprise Linux 4||NSS (Freebl)||3.12.4||#1293||Certified, Level 1|
|Red Hat Enterprise Linux 4||NSS||3.12.4||#1280||Certified, Level 2|
|Red Hat Enterprise Linux 5||Kernel Cryptographic API||"1.0"||#1387||Certified, Level 1|
|Red Hat Enterprise Linux 5||libgcrypt||"1.0"||#1305||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.11.4||#815||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.11.4||#814||Certified, Level 2|
|Red Hat Enterprise Linux 5||NSS (Freebl)||3.12.4||#1293||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.12.4||#1280||Certified, Level 2|
|Red Hat Enterprise Linux 5||OpenSSH Client||"1.0"||#1385||Certified, Level 1|
|Red Hat Enterprise Linux 5||OpenSSH Server||"1.0"||#1384||Certified, Level 1|
|Red Hat Enterprise Linux 5||OpenSSL||"1.0"||#1320||Certified, Level 1|
|Red Hat Enterprise Linux 5||Openswan||"1.0"||#1386||Certified, Level 1|
|Red Hat Enterprise Linux 6||Kernel Cryptographic API||"2.0"||#1901||Certified, Level 1|
|Red Hat Enterprise Linux 6||Disk Volume Cryptographic API||"2.0"||#1933||Certified, Level 1|
|Red Hat Enterprise Linux 6||libgcrypt||"2.0"||#1757||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Client||"2.0"||#1791||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Server||"2.0"||#1792||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSL||"2.0"||#1758||Certified, Level 1|
|Red Hat Enterprise Linux 6||Openswan||"2.0"||#1859||Certified, Level 1|
|Red Hat Enterprise Linux 6||NSS (Freebl)||126.96.36.199||#1710||Certified, Level 1|
|Red Hat Enterprise Linux 6||NSS||188.8.131.52||#1837||Certified, Level 1|
Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements. More information is available at Red Hat's IPv6 pages.
IPv6 Ready logo phase 2*
|RHEL 5.3 or later||RHEL 6.0 or later|
|Core Protocols: Host||Certified||Certified|
|Core Protocols: Router||Certified|
|RHEL 5.6 or later||RHEL 6.0 or later|
|Basic (Conf: v1.2, IOP: v1.1)||Certified||Certified|
|SLAAC (Conf: v1.1, IOP: v1.1)||Certified||Certified|
|Addr Arch (Conf: v1.2, IOP: v1.1)||Certified||Certified|
|ESP (Conf: v1.0, IOP: v1.1)||Certified|
|IKEv2 (Conf: v1.1, IOP: v2.0)||Certified|
|IPSECv3 (Conf: v1.2, IOP: v1.2)||Certified|
Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements.
|JBoss Enterprise Application Platform 4||--||--|
|JBoss Enterprise Application Platform 5||The NIST NVD JBoss checklist is the basis of the future STIG.||Draft. See the "SCAP Security Guide" section.|
|Red Hat JBoss Enterprise Application Platform 6||--||In development. See the "SCAP Security Guide" section.|
|Red Hat Enterprise Linux 4||You can use either the UNIX General scripts or use the RHEL 5 draft guidance. Either guidance will require additional work.||Final|
|Red Hat Enterprise Linux 5||http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx||Draft|
|Red Hat Enterprise Linux 6||--||In development, ETA November 2012. See the "SCAP Security Guide" section.|
Federal Information Security Management Act (FISMA)
All federal agencies must comply with FISMA, and Red Hat works to make that process as simple as possible. Reviewing the USGCB content is a great place to start.
FedRAMP is a variant of the FISMA process for cloud providers. Just like FISMA, USGCB is a great place to start for compliance questions. You may also be interested in talking with Red Hat about our Certified Cloud Provider Program.
ICD 503 / NSSI 1253, DOD Instruction 8500.2
Intelligence Community Directive 503 describes a system for accrediting national security systems. Similarly, DOD Instruction 8500.2 describes the requirements for defense systems. Guidance on meeting ICD 503 (and therefore NIST 800-53) can be found in the SCAP-Security-Guide project.
NISPOM Chapter 8
You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual (NISPOM) Chapter 8 Knowledgebase article.
Section 508 accessibility
Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.
|Red Hat Enterprise Linux||4||VPAT for RHEL 4|
|Red Hat Enterprise Linux||5||VPAT for RHEL 5|
|Red Hat Enterprise Linux||6||VPAT for RHEL 6|
|Red Hat Network Satellite Server||5||VPAT for RHN Satellite Server 5|
|Red Hat JBoss Enterprise Application Platform||6||VPAT for JBoss EAP 6.0|
|Red Hat JBoss Portal||6.1||VPAT for JBoss Portal 6.1|
US Army Certificate of Networthiness
Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).
The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.
NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.
Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:
- All applications (including COTS)
- All Government Off-the-Shelf (GOTS) software
- All web services
- Collaboration tools and services
- Tactical systems
- New, legacy, and fielded systems
A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).
The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency- and program-specific guidance.
|Red Hat Enterprise Linux 5||USGCB content and configuration tools are available from NIST.||Draft|
|Red Hat Enterprise Linux 6||Content is being actively developed in the Fedora scap-security-guide project.||In development|
Secure Content Automation Protocol (SCAP)
SCAP is a machine-readable set of configuration requirements. You can provide SCAP content to SCAP tools, which will audit your systems for compliance. The OpenSCAP tool ships with Red Hat Enterprise Linux 5 and 6, and you can find our SCAP content listed in the US Government Configuration Baseline section of this page.
Open Vulnerability and Assessment Language (OVAL)
OVAL is a security standard that helps describe security vulnerabilities in a uniform way. Red Hat helped found the standard in 2002, and our Red Hat Product Security team produces OVAL content for all of Red Hat's security advisories. For more information, please see the Red Hat Product Security's OVAL FAQ.
Common Vulnerability Enumeration (CVE)
CVE provides a common identifier for known flaws in software. The CVE database is administered by MITRE. If a CVE is issued for Red Hat products, we will include a vendor statement, which provides information on how to fix that vulnerability. For more information, please see How do I know if a CVE name affects a Red Hat Enterprise Linux package? in the Red Hat Customer Portal.
Information Assurance Vulnerability Alerts (IAVA)
IAVAs are similar to CVEs and provide instructions to DOD personnel on securing their systems. You may find DISA's IAVM-to-CVE mapping very helpful.
- OpenSCAP is a tool for running SCAP content. The project is the upstream for the openscap tool that ships in Red Hat Enterprise Linux.
- SCAP Workbench
- The SCAP Workbench provides a simpler interface for creating and editing SCAP content.
- scap-security-guide is an combined effort between Red Hat, our customers, and a number of government agencies to develop a common, manageable set of SCAP content for Red Hat Enterprise Linux. The project is actively working on USGCB content for Red Hat Enterprise Linux 6. You can use this content with a tool like OpenSCAP to audit your systems or transform the content into formal security-hardening documentation. Our ambition is for this guidance to form the basis of the RHEL 6 SRG (STIG) for the DOD.
- Aqueduct is a Red Hat-sponsored project to create a common pool of bash scripts and puppet manifests that can be applied to many different security regimes at once. So, for instance, code to ensure a minimum password length can be used on either a DISA STIG requirement or a SAS-70 requirement. They are famous for their STIG a RHEL box in 5 minutes guide.
- Certifiable Linux Implementation Platform (CLIP)
- The CLIP tool, a project of Tresys, makes it simple to reconfigure machines to meet a variety of certification and accreditation regimes.
- The Red Hat-sponsored gov-sec community is a moderated mailing list for US government security professionals.
- Military Open Source Working Group
- Mil-OSS is a community of open source enthusiasts in the DOD. It is not affiliated with Red Hat in any way, but many Red Hat folks are active members. If you are interested in any of the information on this page, there's a good chance you'll enjoy this group. You can find more information on the Mil-OSS website.
- Customer Portal
- Red Hat customers have access to a great deal of security information, bulletins, and Knowledgebase articles through the Red Hat Customer Portal.
- Your Red Hat account team
- We're here to help, not just sell you things. Feel free to ask your local account executive or solutions architect if you have any questions about security, compliance, or configuration requirements.
- Can I use a product if it's "in evaluation"?
Under NSTISSP #11, government customers must prefer products that have been certified using a US-approved protection profile. Failing that, you can use something certified under another profile. Failing that, you must ensure that the product is in evaluation. You can find a helpful explanation of the process here.
We've been through the Common Criteria process many times, so "in evaluation" is less uncertain than it might sound. When we're in evaluation, we're confident that we'll eventually receive the certification. It's just a matter of time. If you have any trouble getting a product approved while it's in evaluation, we'd be happy to speak with your DAA.
- I'm worried about the timing of the certification. I need to deploy today!
Red Hat makes it as easy as possible for you to use the version of Red Hat® Enterprise Linux® that you're comfortable with. A subscription lets you use any version of the product as long as you have a current subscription. So you can buy a subscription today, field on a currently certified version, and move to a more recent version once it's certified–at no cost.
- Why can't I find your certification on the NIAP website?
Red Hat Enterprise Linux 6 was certified by BSI under OS Protection Profile at EAL4+. This is equivalent to certifying under NIAP under the Common Criteria mutual recognition treaties. More information on mutual recognition can be found on the CCRA web site. That site includes a list of the member countries that recognize one another's evaluations.