Red Hat is committed to making your certification and accreditation process as easy as possible. The resources below should help you comply with a variety of government requirements.
|JBoss® Enterprise Application Platform||4.3||EAL2||--||Evaluated|
|JBoss Enterprise Application Platform||5||EAL4+||--||Evaluated|
|Red Hat JBoss Enterprise Application Platform||6.2||EAL4+||--||Evaluated|
|MetaMatrix Data Services Platform||5.5.3||EAL2+||--||Evaluated|
|Red Hat Certificate System||6||EAL4+||CIMC||Evaluated|
|Red Hat Certificate System||8.1||EAL4+||CIMC||Evaluated|
|Red Hat Enterprise Linux||4||EAL3+||CAPP||Evaluated|
|Red Hat Enterprise Linux||4||EAL4+||CAPP||Evaluated|
|Red Hat Enterprise Linux||5||EAL4+||CAPP/RBACPP/LSPP||Evaluated|
|Red Hat Enterprise Linux||5||EAL4+||with KVM virtualization||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||OSPP, including Labeled Security, Advanced Audit, Advanced Management||Evaluated|
|Red Hat Enterprise Linux||6||EAL4+||32-bit. OSPP, including Advanced Audit.||Evaluated|
|Red Hat Enterprise Linux||7||EAL4+||OSPP v2.0: Evaluated, OSPP v3.9: In Evaluation||
||OSPP v2.0: Evaluated, OSPP v3.9: In Evaluation|
Federal Information Processing Standard 140-2 ensures that cryptographic tools implement their algorithms properly. There are a number of FIPS 140-2-related articles in the Red Hat Customer Portal. You'll find a complete list of all FIPS 140-2 certificates at the NIST CMVP website. The Red Hat certificates are below.
|Red Hat Enterprise Linux 4||NSS||3.11.4||#815||Certified, Level 1|
|Red Hat Enterprise Linux 4||NSS||3.11.4||#814||Certified, Level 2|
|Red Hat Enterprise Linux 4||NSS (Freebl)||3.12.4||#1293||Certified, Level 1|
|Red Hat Enterprise Linux 4||NSS||3.12.4||#1280||Certified, Level 2|
|Red Hat Enterprise Linux 5||Kernel Cryptographic API||1.0||#1387||Certified, Level 1|
|Red Hat Enterprise Linux 5||libgcrypt||1.0||#1305||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.11.4||#815||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.11.4||#814||Certified, Level 2|
|Red Hat Enterprise Linux 5||NSS (Freebl)||3.12.4||#1293||Certified, Level 1|
|Red Hat Enterprise Linux 5||NSS||3.12.4||#1280||Certified, Level 2|
|Red Hat Enterprise Linux 5||OpenSSH Client||1.0||#1385||Certified, Level 1|
|Red Hat Enterprise Linux 5||OpenSSH Server||1.0||#1384||Certified, Level 1|
|Red Hat Enterprise Linux 5||OpenSSL||1.0||#1320||Certified, Level 1|
|Red Hat Enterprise Linux 5||Openswan||1.0||#1386||Certified, Level 1|
|Red Hat Enterprise Linux 6||Kernel Cryptographic API||2.0||#1901||Certified, Level 1|
|Red Hat Enterprise Linux 6||Disk Volume Cryptographic API||2.0||#1933||Certified, Level 1|
|Red Hat Enterprise Linux 6||libgcrypt||2.0||#1757||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Client||2.0||#1791||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Server||2.0||#1792||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSL||2.0||#1758||Certified, Level 1|
|Red Hat Enterprise Linux 6||Openswan||2.0||#1859||Certified, Level 1|
|Red Hat Enterprise Linux 6||NSS (Freebl)||22.214.171.124||#1710||Certified, Level 1|
|Red Hat Enterprise Linux 6||NSS||126.96.36.199||#1837||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSL||3.0||#2441||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Server||3.0||#2446||Certified, Level 1|
|Red Hat Enterprise Linux 6||OpenSSH Client||3.0||#2447||Certified, Level 1|
|Red Hat Enterprise Linux 6||NSS||3.14.3-22||#2564||Certified, Level 2|
|Red Hat Enterprise Linux 6||Kernel Cryptographic API||3.0||#2582||Certified, Level 1|
|Red Hat Enterprise Linux 7||OpenSSL||4.0||#2441||Certified, Level 1|
|Red Hat Enterprise Linux 7||OpenSSH Server||4.0||#2630||Certified, Level 1|
|Red Hat Enterprise Linux 7||OpenSSH Client||4.0||#2633||Certified, Level 1|
|Red Hat Enterprise Linux 7||libgcrypt||4.0||#2657||Certified, Level 1|
|Red Hat Enterprise Linux 7||NSS||4.0||#2711||Certified, Level 1|
|Red Hat Enterprise Linux 7||Libreswan||4.0||#2721||Certified, Level 1|
|Red Hat Enterprise Linux 7||Kernel Cryptographic API||4.0||#2742||Certified, Level 1|
|Red Hat Enterprise Linux 7||Kernel Cryptographic API with CPACF||4.0||#2798||Certified, Level 1|
|Red Hat Enterprise Linux 7||GnuTLS||4.0||#2780||Certified, Level 1|
Red Hat Enterprise Linux 5 and 6 are both certified under USGv6, which has replaced the Department of Defense (DOD) Internet Protocol version 6 (IPv6) requirements.
IPv6 Ready logo phase 2
|RHEL 5.3 or later||RHEL 6.0 or later|
|Core Protocols: Host||Certified||Certified|
|Core Protocols: Router||Certified|
|RHEL 5.6 or later||RHEL 6.0 or later|
|Basic (Conf: v1.2, IOP: v1.1)||Certified||Certified|
|SLAAC (Conf: v1.1, IOP: v1.1)||Certified||Certified|
|Addr Arch (Conf: v1.2, IOP: v1.1)||Certified||Certified|
|ESP (Conf: v1.0, IOP: v1.1)||Certified|
|IKEv2 (Conf: v1.1, IOP: v2.0)||Certified|
|IPSECv3 (Conf: v1.2, IOP: v1.2)||Certified|
Any DOD system must meet the STIG requirements before they are fielded. Below you'll find a list of guidance documents that can help you meet the STIG requirements.
|JBoss Enterprise Application Platform 4||--||--|
|JBoss Enterprise Application Platform 5||The NIST NVD JBoss checklist is the basis of the future STIG.||Draft. See the "SCAP Security Guide" section.|
|Red Hat JBoss Enterprise Application Platform 6||--||In development. See the "SCAP Security Guide" section.|
|Red Hat Enterprise Linux 4||Use the RHEL 5 draft guidance. Either guidance will require additional work.||Final|
|Red Hat Enterprise Linux 5||http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx||Draft|
|Red Hat Enterprise Linux 6||--||See the "SCAP Security Guide" section.|
Federal Information Security Management Act (FISMA)
All federal agencies must comply with FISMA, and Red Hat works to make that process as simple as possible. Reviewing the USGCB content is a great place to start.
FedRAMP is a variant of the FISMA process for cloud providers. Just like FISMA, USGCB is a great place to start for compliance questions. You may also be interested in talking with Red Hat about our Certified Cloud Provider Program.
ICD 503 / NSSI 1253, DOD Instruction 8500.2
Intelligence Community Directive 503 describes a system for accrediting national security systems. Similarly, DOD Instruction 8500.2 describes the requirements for defense systems. Guidance on meeting ICD 503 (and therefore NIST 800-53) can be found in the SCAP-Security-Guide project.
NISPOM Chapter 8
You can find guidance on meeting Chapter 8 requirements in the National Industrial Security Program Operating Manual (NISPOM) Chapter 8 Knowledgebase article.
Section 508 accessibility
Section 508 requires that government agencies ensure that their software is accessible by those with disabilities. Red Hat supports these requirements with the completed Voluntary Product Accessibility Templates below.
|Red Hat Enterprise Linux||4||VPAT for RHEL 4|
|Red Hat Enterprise Linux||5||VPAT for RHEL 5|
|Red Hat Enterprise Linux||6||VPAT for RHEL 6|
|Red Hat Enterprise Linux||7||VPAT for RHEL 7|
|Red Hat Network Satellite Server||5||VPAT for RHN Satellite Server 5|
|Red Hat Network Satellite Server||6||VPAT for RHN Satellite Server 6|
|Red Hat JBoss Enterprise Application Platform||6||VPAT for JBoss EAP 6.0|
|Red Hat OpenShift||3||Red Hat OpenShift 3|
|Red Hat CloudForms||3||Red Hat CloudForms 3|
|Red Hat Gluster Storage||3||Red Hat Gluster Storage 3|
US Army Certificate of Networthiness
Army Networthiness (NW) provides an operational assessment of all systems, applications, and devices to determine supportability, sustainability, interoperability, and compliance with federal, DOD, and Army regulations and mandates. Army Regulation AR 25-1, paragraph 6-3(c), states that all activities must obtain a Certificate of Networthiness (CON) before connecting hardware or software to the LandWarNet (LWN).
The Army NW determines whether an application or system is capable or worthy to go on the Army's enterprise network and helps the Army reach its goal of establishing a standard baseline by establishing and utilizing enterprise license agreements.
NW was developed to prevent unmanaged deployments of software and hardware. It also serves as a way of ensuring that applications and hardware that connect to LWN are interoperable and will not damage other systems on the network by introducing new threats.
Networthiness certification applies to all organizations fielding, using, or managing IT assets on the LandWarNet:
- All applications (including COTS)
- All Government Off-the-Shelf (GOTS) software
- All web services
- Collaboration tools and services
- Tactical systems
- New, legacy, and fielded systems
A list of software with approved CONs is identified on the Army's Networthiness Program website (AKO login required).
The USGCB provides a minimum security configuration for software products. Red Hat has worked closely with various US government agencies on this guidance, which provides an excellent starting point for agency- and program-specific guidance.
|Red Hat Enterprise Linux 5||USGCB content and configuration tools are available from NIST.||Draft|
|Red Hat Enterprise Linux 6||Content is being actively developed in the Fedora scap-security-guide project.||In development|
Secure Content Automation Protocol (SCAP)
SCAP is a machine-readable set of configuration requirements. You can provide SCAP content to SCAP tools, which will audit your systems for compliance. The OpenSCAP tool ships with Red Hat Enterprise Linux 5 and 6, and you can find our SCAP content listed in the US Government Configuration Baseline section of this page.
Open Vulnerability and Assessment Language (OVAL)
OVAL is a security standard that helps describe security vulnerabilities in a uniform way. Red Hat helped found the standard in 2002, and our Red Hat Product Security team produces OVAL content for all of Red Hat's security advisories. For more information, please see the Red Hat Product Security's OVAL FAQ.
Common Vulnerability Enumeration (CVE)
CVE provides a common identifier for known flaws in software. The CVE database is administered by MITRE. If a CVE is issued for Red Hat products, we will include a vendor statement, which provides information on how to fix that vulnerability. For more information, please see How do I know if a CVE name affects a Red Hat Enterprise Linux package? in the Red Hat Customer Portal.
Information Assurance Vulnerability Alerts (IAVA)
IAVAs are similar to CVEs and provide instructions to DOD personnel on securing their systems. You may find DISA's IAVM-to-CVE mapping very helpful.
- OpenSCAP is a tool for running SCAP content. The project is the upstream for the openscap tool that ships in Red Hat Enterprise Linux.
- SCAP Workbench
- The SCAP Workbench provides a simpler interface for creating and editing SCAP content.
- scap-security-guide is an combined effort between Red Hat, our customers, and a number of government agencies to develop a common, manageable set of SCAP content for Red Hat Enterprise Linux. The project is actively working on USGCB content for Red Hat Enterprise Linux 6. You can use this content with a tool like OpenSCAP to audit your systems or transform the content into formal security-hardening documentation. Our ambition is for this guidance to form the basis of the RHEL 6 SRG (STIG) for the DOD.
- Aqueduct is a Red Hat-sponsored project to create a common pool of bash scripts and puppet manifests that can be applied to many different security regimes at once. So, for instance, code to ensure a minimum password length can be used on either a DISA STIG requirement or a SAS-70 requirement. They are famous for their STIG a RHEL box in 5 minutes guide.
- Certifiable Linux Implementation Platform (CLIP)
- The CLIP tool, a project of Tresys, makes it simple to reconfigure machines to meet a variety of certification and accreditation regimes.
- The Red Hat-sponsored gov-sec community is a moderated mailing list for US government security professionals.
- Military Open Source Working Group
- Mil-OSS is a community of open source enthusiasts in the DOD. It is not affiliated with Red Hat in any way, but many Red Hat folks are active members. If you are interested in any of the information on this page, there's a good chance you'll enjoy this group. You can find more information on the Mil-OSS website.
- Customer Portal
- Red Hat customers have access to a great deal of security information, bulletins, and Knowledgebase articles through the Red Hat Customer Portal.
- Your Red Hat account team
- We're here to help, not just sell you things. Feel free to ask your local account executive or solutions architect if you have any questions about security, compliance, or configuration requirements.
- What is Common Criteria?
Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria. Established by governments, the Common Criteria Recognition Arrangement has been signed by 26 countries, and each country recognizes the other's certifications.
In the U.S., Common Criteria is handled by the National Information Assurance Partnership (NIAP). Other countries have their own CC authorities. Each authority certifies CC labs, which do the actual work of evaluating products. Once certified by the authority, based on the evidence from the lab and the vendor, that certification is recognized globally.
Your certification is given a particular assurance level which, roughly speaking, represents the strength of the certification. Confidence is higher at a level EAL4 than at EAL2 for a certification. Attention is usually given to the assurance level, instead of what, specifically, you're being assured of, which is the protection profiles.
CC certification represents a very specific set of software and hardware configurations. Software versions and hardware model and version is important as differences will break the certification.
Read more FAQs