Industries

Government: Standards

Certifications and accreditation

Making certification and accreditation easier

Red Hat is committed to making your certification and accreditation process as easy as possible. The resources below should help you comply with a variety of government requirements.

Certifications

Product Release Level Protection profile Platform Status
JBoss® Enterprise Application Platform 4.3 EAL2 -- Evaluated
JBoss Enterprise Application Platform 5 EAL4+ -- Evaluated
Red Hat JBoss Enterprise Application Platform 6.2 EAL4+ -- In Evaluation (ID #BSI-DSZ-CC-0909) Q1 CY14
MetaMatrix Data Services Platform 5.5.3 EAL2+ -- Evaluated
Red Hat Certificate System 6 EAL4+ CIMC Evaluated
Red Hat Certificate System 8.1 EAL4+ CIMC Evaluated
Red Hat Enterprise Linux 4 EAL3+ CAPP Evaluated
Red Hat Enterprise Linux 4 EAL4+ CAPP Evaluated
Red Hat Enterprise Linux 5 EAL4+ CAPP/RBACPP/LSPP Evaluated
Red Hat Enterprise Linux 5 EAL4+ with KVM virtualization Evaluated
Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules Evaluated
Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management Evaluated
Red Hat Enterprise Linux 6 EAL4+ 32-bit. OSPP, including Advanced Audit.
  • Northrop Grumman Payload Control Element (PCE) Server 309-C20213 (report, target)
Evaluated
Red Hat Enterprise Linux 7 EAL4+ OSPP v2.0, OSPP v3.9
  • Dell PowerEdge 13G family of servers
  • Dell Precision Rack 7910
  • HP DL, BL, ML, and SL servers, generations G7, Gen8, and Gen9, with 64-bit Intel Xeon processors
  • HP DL, BL, ML, and SL servers, generations G7 and Gen8, with 64-bit AMD Opteron processors
In Evaluation (ID #BSI-DSZ-CC-0949)

Federal Information Processing Standard 140-2 (FIPS 140-2)

Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.

Product Component Version Certificate Status
Red Hat Enterprise Linux 4 NSS 3.11.4 #815 Certified, Level 1
Red Hat Enterprise Linux 4 NSS 3.11.4 #814 Certified, Level 2
Red Hat Enterprise Linux 4 NSS (Freebl) 3.12.4 #1293 Certified, Level 1
Red Hat Enterprise Linux 4 NSS 3.12.4 #1280 Certified, Level 2
Red Hat Enterprise Linux 5 Kernel Cryptographic API "1.0" #1387 Certified, Level 1
Red Hat Enterprise Linux 5 libgcrypt "1.0" #1305 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #815 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.11.4 #814 Certified, Level 2
Red Hat Enterprise Linux 5 NSS (Freebl) 3.12.4 #1293 Certified, Level 1
Red Hat Enterprise Linux 5 NSS 3.12.4 #1280 Certified, Level 2
Red Hat Enterprise Linux 5 OpenSSH Client "1.0" #1385 Certified, Level 1
Red Hat Enterprise Linux 5 OpenSSH Server "1.0" #1384 Certified, Level 1
Red Hat Enterprise Linux 5 OpenSSL "1.0" #1320 Certified, Level 1
Red Hat Enterprise Linux 5 Openswan "1.0" #1386 Certified, Level 1
Red Hat Enterprise Linux 6 Kernel Cryptographic API "2.0" #1901 Certified, Level 1
Red Hat Enterprise Linux 6 Disk Volume Cryptographic API "2.0" #1933 Certified, Level 1
Red Hat Enterprise Linux 6 libgcrypt "2.0" #1757 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Client "2.0" #1791 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSH Server "2.0" #1792 Certified, Level 1
Red Hat Enterprise Linux 6 OpenSSL "2.0" #1758 Certified, Level 1
Red Hat Enterprise Linux 6 Openswan "2.0" #1859 Certified, Level 1
Red Hat Enterprise Linux 6 NSS (Freebl) 3.12.9.1 #1710 Certified, Level 1
Red Hat Enterprise Linux 6 NSS 3.12.9.1 #1837 Certified, Level 1

USGv6 (DOD IPv6)

Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements. More information is available at Red Hat's IPv6 pages.

IPv6 Ready logo phase 2*

RHEL 5.3 or later RHEL 6.0 or later
Core Protocols: Host Certified Certified
Core Protocols: Router Certified
IPsec: End-Node Certified Certified
SNMP: Agent-Host Certified
DHCPv6: Server Certified

* IPv6 Ready Logo Phase 2 website

US government version 6 (USGv6) tested product list*

RHEL 5.6 or later RHEL 6.0 or later
Basic (Conf: v1.2, IOP: v1.1) Certified Certified
SLAAC (Conf: v1.1, IOP: v1.1) Certified Certified
Addr Arch (Conf: v1.2, IOP: v1.1) Certified Certified
ESP (Conf: v1.0, IOP: v1.1) Certified
IKEv2 (Conf: v1.1, IOP: v2.0) Certified
IPSECv3 (Conf: v1.2, IOP: v1.2) Certified

* Listing of USGv6 tested devices for Red Hat, Inc.

DISA Secure Technical Implementation Guidelines (STIG)

Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements.

Product Guidance Status
JBoss Enterprise Application Platform 4 -- --
JBoss Enterprise Application Platform 5 The NIST NVD JBoss checklist is the basis of the future STIG. Draft. See the "SCAP Security Guide" section.
Red Hat JBoss Enterprise Application Platform 6 -- In development. See the "SCAP Security Guide" section.
Red Hat Enterprise Linux 4 You can use either the UNIX General scripts or use the RHEL 5 draft guidance. Either guidance will require additional work. Final
Red Hat Enterprise Linux 5 http://iase.disa.mil/stigs/os/unix/red_hat.html Draft
Red Hat Enterprise Linux 6 -- In development, ETA November 2012. See the "SCAP Security Guide" section.

Federal Information Security Management Act (FISMA)

All federal agencies must comply with FISMA, and Red Hat works to make that process as simple as possible. Reviewing the USGCB content is a great place to start.

FedRAMP

FedRAMP is a variant of the FISMA process for cloud providers. Just like FISMA, USGCB is a great place to start for compliance questions. You may also be interested in talking with Red Hat about our Certified Cloud Provider Program.

ICD 503 / NSSI 1253, DOD Instruction 8500.2

Intelligence Community Directive 503 describes a system for accrediting national security systems. Similarly, DOD Instruction 8500.2 describes the requirements for defense systems. Guidance on meeting ICD 503 (and therefore NIST 800-53) can be found in the SCAP-Security-Guide project.

NISPOM Chapter 8

You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual (NISPOM) Chapter 8 Knowledgebase article.

Section 508 accessibility

Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.

Product Version VPAT
Red Hat Enterprise Linux 4 VPAT for RHEL 4
Red Hat Enterprise Linux 5 VPAT for RHEL 5
Red Hat Enterprise Linux 6 VPAT for RHEL 6
Red Hat Network Satellite Server 5 VPAT for RHN Satellite Server 5
Red Hat JBoss Enterprise Application Platform 6 VPAT for JBoss EAP 6.0
Red Hat JBoss Portal 6.1 VPAT for JBoss Portal 6.1

US Army Certificate of Networthiness

Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).

The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.

NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.

Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:

  • All applications (including COTS)
  • All Government Off-the-Shelf (GOTS) software
  • All web services
  • Collaboration tools and services
  • Tactical systems
  • New, legacy, and fielded systems

A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).

US Government Configuration Baseline (USGCB)

The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency- and program-specific guidance.

Product Content Status
Red Hat Enterprise Linux 5 USGCB content and configuration tools are available from NIST. Draft
Red Hat Enterprise Linux 6 Content is being actively developed in the Fedora scap-security-guide project. In development

Secure Content Automation Protocol (SCAP)

SCAP is a machine-readable set of configuration requirements. You can provide SCAP content to SCAP tools, which will audit your systems for compliance. The OpenSCAP tool ships with Red Hat Enterprise Linux 5 and 6, and you can find our SCAP content listed in the US Government Configuration Baseline section of this page.

Open Vulnerability and Assessment Language (OVAL)

OVAL is a security standard that helps describe security vulnerabilities in a uniform way. Red Hat helped found the standard in 2002, and our Red Hat Product Security team produces OVAL content for all of Red Hat's security advisories. For more information, please see the Red Hat Product Security's OVAL FAQ.

Common Vulnerability Enumeration (CVE)

CVE provides a common identifier for known flaws in software. The CVE database is administered by MITRE. If a CVE is issued for Red Hat products, we will include a vendor statement, which provides information on how to fix that vulnerability. For more information, please see How do I know if a CVE name affects a Red Hat Enterprise Linux package? in the Red Hat Customer Portal.

Information Assurance Vulnerability Alerts (IAVA)

IAVAs are similar to CVEs and provide instructions to DOD personnel on securing their systems. You may find DISA's IAVM-to-CVE mapping very helpful.

Projects

Projects of interest

OpenSCAP
OpenSCAP is a tool for running SCAP content. The project is the upstream for the openscap tool that ships in Red Hat Enterprise Linux.
SCAP Workbench
The SCAP Workbench provides a simpler interface for creating and editing SCAP content.
scap-security-guide
scap-security-guide is an combined effort between Red Hat, our customers, and a number of government agencies to develop a common, manageable set of SCAP content for Red Hat Enterprise Linux. The project is actively working on USGCB content for Red Hat Enterprise Linux 6. You can use this content with a tool like OpenSCAP to audit your systems or transform the content into formal security-hardening documentation. Our ambition is for this guidance to form the basis of the RHEL 6 SRG (STIG) for the DOD.
Aqueduct
Aqueduct is a Red Hat-sponsored project to create a common pool of bash scripts and puppet manifests that can be applied to many different security regimes at once. So, for instance, code to ensure a minimum password length can be used on either a DISA STIG requirement or a SAS-70 requirement. They are famous for their STIG a RHEL box in 5 minutes guide.
Certifiable Linux Implementation Platform (CLIP)
The CLIP tool, a project of Tresys, makes it simple to reconfigure machines to meet a variety of certification and accreditation regimes.

Communities

Communities that can help

gov-sec
The Red Hat-sponsored gov-sec community is a moderated mailing list for US government security professionals.
Military Open Source Working Group
Mil-OSS is a community of open source enthusiasts in the DOD. It is not affiliated with Red Hat in any way, but many Red Hat folks are active members. If you are interested in any of the information on this page, there's a good chance you'll enjoy this group. You can find more information on the Mil-OSS website.
Customer Portal
Red Hat customers have access to a great deal of security information, bulletins, and Knowledgebase articles through the Red Hat Customer Portal.
Your Red Hat account team
We're here to help, not just sell you things. Feel free to ask your local account executive or solutions architect if you have any questions about security, compliance, or configuration requirements.

Common Criteria

Common Criteria is an internationally recognized certification for information assurance products

FAQs

Can I use a product if it's "in evaluation"?

Under NSTISSP #11, government customers must prefer products that have been certified using a US-approved protection profile. Failing that, you can use something certified under another profile. Failing that, you must ensure that the product is in evaluation. You can find a helpful explanation of the process here.

We've been through the Common Criteria process many times, so "in evaluation" is less uncertain than it might sound. When we're in evaluation, we're confident that we'll eventually receive the certification. It's just a matter of time. If you have any trouble getting a product approved while it's in evaluation, we'd be happy to speak with your DAA.

I'm worried about the timing of the certification. I need to deploy today!

Red Hat makes it as easy as possible for you to use the version of Red Hat® Enterprise Linux® that you're comfortable with. A subscription lets you use any version of the product as long as you have a current subscription. So you can buy a subscription today, field on a currently certified version, and move to a more recent version once it's certified–at no cost.

Why can't I find your certification on the NIAP website?

Red Hat Enterprise Linux 6 was certified by BSI under OS Protection Profile at EAL4+. This is equivalent to certifying under NIAP under the Common Criteria mutual recognition treaties. More information on mutual recognition can be found on the CCRA web site. That site includes a list of the member countries that recognize one another's evaluations.