Another FIPS thing that is subtle but may come in late in your purchase cycle to bite you is: Is the supervisory module of a server FIPS-compliant? This is a board with its own processor and memory.
For example, HPE's iLO4: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2574.pdf It matters for both setup (at beginning of use) and sanitizing (at end of use). Regards, Scott -- Scott Packard | Sr Principal Engr Comm Systems Northrop Grumman Corporation | Space Systems O: 626-812-1703 | scott.pack...@ngc.com | email2text: 6262200...@usamobility.net -----Original Message----- From: Todd, Charles <ct...@ball.com> Sent: Wednesday, January 6, 2021 7:13 AM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> Cc: Jeffrey Hawkins <rtswg...@hotmail.com>; Ted Brunell <tbrun...@redhat.com> Subject: EXT :RE: [EXTERNAL] Re: Any rumors on next draft for RHEL 8 STIG from DISA? Trevor, That is most interesting. I fully understand a desire to only accept the certification on select hardware as choosing the wrong hardware (e.g. ARM with a different IP stack) might lack important key handling features like anti-tamper. I'm not sure I see why the compile-time **hardware** makes a significant difference, given the state of cross-compilers. I would think that the compile-time **software** would have the greatest influence as it a direct vector for supply chain attacks. I've been skimming the FIPS 140-2 doc and the best I can see is that compile-time hardware is part of "Design Assurance" (Table 1 and section 4.10). All of the other documentation I can see refers to the operating environment or designing towards a particular (hostile) environment. I don't doubt that what you say is true given the list of unwritten rules most organizations have. I'm curious about the basis for such a rule. If you know and have time to educate, I would be most fascinated to understand the reasoning. Thanks, Charlie Todd CISSP, Ball Aerospace -----Original Message----- From: Trevor Vaughan <tvaug...@onyxpoint.com> Sent: Wednesday, January 6, 2021 9:51 AM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> Cc: Jeffrey Hawkins <rtswg...@hotmail.com>; Ted Brunell <tbrun...@redhat.com> Subject: [EXTERNAL] Re: Any rumors on next draft for RHEL 8 STIG from DISA? A note of clarification, for the FIPS certification, the hardware that the software is built on matters so re-rolling it yourself and/or the CentOS "binary compatible" rolls aren't part of the certified package. Do they meet the functional requirements....probably. Do they meet the legal requirements (NIST 800-53, etc...)....no. Trevor On Wed, Jan 6, 2021 at 9:51 AM Mark Thacker <mthac...@redhat.com <mailto:mthac...@redhat.com> > wrote: Hello all, A few of items of discussion here: 1. Red Hat validates the shipped crypto modules in RHEL itself. CentOS Stream is the evolving next release of those same modules. However, because CentOS Stream is a developer-focused, evolving project, Red Hat will not be validating the CentOS Stream modules themselves. Any issues, bugs, functional or security problems discovered in CentOS Stream (including the crypto modules) would indeed be filed as bugs, and addressed in CentOS and RHEL. 2. While OpenSCAP and the profiles we build will be included in CentOS Stream, they are treated as upstream from a support perspective. Our work flow still starts with the Compliance As Code GIT repository upstream, through CentOS Stream and into RHEL. 3. To be clear, code modifications and changes required to obtain certifications such as FIPS and Common Criteria will certainly be reflected in CentOS Stream (as all changes are, with the exception of embargoed content). But the certifications themselves will only ever be done on RHEL itself as that is the stable, long term supported release. On 1/5/21 5:30 PM, Jeffrey Hawkins wrote: Hi Mark, Related topic.... Do you know if the FIPS Software Modules/Libraries that RedHat certifies RHEL8.x will be included in CENTOS Stream (similar to existing CENTOS approach), or will CENTOS Stream have different Crypto Software?   Also, any nuances or strategy changes we may need to be aware of as to OpenScap and Benchmarks for CENTOS Stream? Jeff ________________________________ From: Mark Thacker <mthac...@redhat.com> <mailto:mthac...@redhat.com> Sent: Sunday, December 27, 2020 8:05 AM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> <mailto:scap-security-guide@lists.fedorahosted.org> ; Ted Brunell <tbrun...@redhat.com> <mailto:tbrun...@redhat.com> Subject: Re: Any rumors on next draft for RHEL 8 STIG from DISA?  Hi all, An update : * RHEL 8 Common Criteria is in process and we expect to complete and announce in EARLY Q1 CY2021 * RHEL 8 FIPS is finishing now! Actually, two of our certs are in hand now for RHEL 8 with three more in the final stages (in Coordination state). We expect to push a press release when we have all of the module validation certificates completed. Again, expect that we will announce more publicly when we have completed the certifications for each of these standards. On 12/2/20 4:30 PM, Ted Brunell wrote: I cannot really talk much about CC and FIPS, but the STIG is expected to be published by DISA (based on the draft STIG content on RHEL 8.2 and 8.3) sometime early next year. DISA may be able to provide a more concise timeframe. (disa.stig_...@mail.mil <mailto:disa.stig_...@mail.mil> ). R/ Ted Brunell On Wed, Dec 2, 2020 at 12:14 PM Hayden,Robert <rhay...@cerner.com <mailto:rhay...@cerner.com> > wrote: Curious on if anyone has any information on the next draft release from DISA on RHEL 8 STIG benchmarks? The one in May was pretty rough and did not really match where the current upstream was moving towards.  Thanks in advance Robert  Robert Hayden | Lead Technology Architect | Cerner Corporation   CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org <mailto:scap-security-guide-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org <mailto:scap-security-guide-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> -- Mark Thacker He/Him Team Lead & Security Experience Product Manager, Red Hat Enterprise Linux Red Hat <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> mthac...@redhat.com <mailto:mthac...@redhat.com>   M: +1-214-636-7004 <tel:+1-214-636-7004>   Twitter / IRC: @thackman <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org <mailto:scap-security-guide-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> -- Mark Thacker He/Him Team Lead & Security Experience Product Manager, Red Hat Enterprise Linux Red Hat <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> mthac...@redhat.com <mailto:mthac...@redhat.com>   M: +1-214-636-7004   Twitter / IRC: @thackman <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org <mailto:scap-security-guide-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
