Todd, It's been a long time since I've traced the whole thing (hopefully 140-3 is clearer) but IIRC it came down to the assurance of the build process as certified by NIST.
Technically, your local security officer(s) can probably evaluate your entire local stack and waive that part of the requirement. However, they would probably have to coordinate with NIST directly to meet the 800-171/CNSSI 1253 requirements for NIST/NSA approved cryptography and I don't really see that working in reality. Trevor On Wed, Jan 6, 2021 at 10:13 AM Todd, Charles <ct...@ball.com> wrote: > Trevor, > That is most interesting. I fully understand a desire to only accept the > certification on select hardware as choosing the wrong hardware (e.g. ARM > with a different IP stack) might lack important key handling features like > anti-tamper. I'm not sure I see why the compile-time **hardware** makes a > significant difference, given the state of cross-compilers. I would think > that the compile-time **software** would have the greatest influence as it > a direct vector for supply chain attacks. > I've been skimming the FIPS 140-2 doc and the best I can see is that > compile-time hardware is part of "Design Assurance" (Table 1 and section > 4.10). All of the other documentation I can see refers to the operating > environment or designing towards a particular (hostile) environment. > > I don't doubt that what you say is true given the list of unwritten rules > most organizations have. I'm curious about the basis for such a rule. If > you know and have time to educate, I would be most fascinated to understand > the reasoning. > > Thanks, > Charlie Todd > CISSP, Ball Aerospace > > -----Original Message----- > From: Trevor Vaughan <tvaug...@onyxpoint.com> > Sent: Wednesday, January 6, 2021 9:51 AM > To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> > Cc: Jeffrey Hawkins <rtswg...@hotmail.com>; Ted Brunell < > tbrun...@redhat.com> > Subject: [EXTERNAL] Re: Any rumors on next draft for RHEL 8 STIG from DISA? > > A note of clarification, for the FIPS certification, the hardware that the > software is built on matters so re-rolling it yourself and/or the CentOS > "binary compatible" rolls aren't part of the certified package. > > Do they meet the functional requirements....probably. > > Do they meet the legal requirements (NIST 800-53, etc...)....no. > > Trevor > > > On Wed, Jan 6, 2021 at 9:51 AM Mark Thacker <mthac...@redhat.com <mailto: > mthac...@redhat.com> > wrote: > > > Hello all, > > > > > A few of items of discussion here: > > > > > 1. Red Hat validates the shipped crypto modules in RHEL itself. > CentOS Stream is the evolving next release of those same modules. However, > because CentOS Stream is a developer-focused, evolving project, Red Hat > will not be validating the CentOS Stream modules themselves. Any issues, > bugs, functional or security problems discovered in CentOS Stream > (including the crypto modules) would indeed be filed as bugs, and addressed > in CentOS and RHEL. > > > > > 2. While OpenSCAP and the profiles we build will be included in > CentOS Stream, they are treated as upstream from a support perspective. Our > work flow still starts with the Compliance As Code GIT repository upstream, > through CentOS Stream and into RHEL. > > > > > 3. To be clear, code modifications and changes required to obtain > certifications such as FIPS and Common Criteria will certainly be reflected > in CentOS Stream (as all changes are, with the exception of embargoed > content). But the certifications themselves will only ever be done on > RHEL itself as that is the stable, long term supported release. > > > > > > > > > On 1/5/21 5:30 PM, Jeffrey Hawkins wrote: > > > Hi Mark, > > Related topic.... > > > Do you know if the FIPS Software Modules/Libraries that > RedHat certifies RHEL8.x will be included in CENTOS Stream (similar to > existing CENTOS approach), or will CENTOS Stream have different Crypto > Software?   Also, any nuances or strategy changes we may need to be > aware of as to OpenScap and Benchmarks for CENTOS Stream? > > > Jeff > > > ________________________________ > > From: Mark Thacker <mthac...@redhat.com> <mailto: > mthac...@redhat.com> > Sent: Sunday, December 27, 2020 8:05 AM > To: SCAP Security Guide < > scap-security-guide@lists.fedorahosted.org> <mailto: > scap-security-guide@lists.fedorahosted.org> ; Ted Brunell < > tbrun...@redhat.com> <mailto:tbrun...@redhat.com> > Subject: Re: Any rumors on next draft for RHEL 8 STIG from > DISA? >  > > Hi all, > > An update : > > * RHEL 8 Common Criteria is in process and we expect to > complete and announce in EARLY Q1 CY2021 > > * RHEL 8 FIPS is finishing now! Actually, two of our certs > are in hand now for RHEL 8 with three more in the final stages (in > Coordination state). We expect to push a press release when we have all of > the module validation certificates completed. > > > Again, expect that we will announce more publicly when we > have completed the certifications for each of these standards. > > > > > On 12/2/20 4:30 PM, Ted Brunell wrote: > > > I cannot really talk much about CC and FIPS, but > the STIG is expected to be published by DISA (based on the draft STIG > content on RHEL 8.2 and 8.3) sometime early next year. > > DISA may be able to provide a more concise > timeframe. (disa.stig_...@mail.mil <mailto:disa.stig_...@mail.mil> ). > > > > R/ > > Ted Brunell > > > > > > > On Wed, Dec 2, 2020 at 12:14 PM Hayden,Robert < > rhay...@cerner.com <mailto:rhay...@cerner.com> > wrote: > > > Curious on if anyone has any information > on the next draft release from DISA on RHEL 8 STIG benchmarks? The one in > May was pretty rough and did not really match where the current upstream > was moving towards. > >  > > Thanks in advance > > Robert > >  > > Robert Hayden | Lead Technology Architect > | Cerner Corporation > >  > >  > > CONFIDENTIALITY NOTICE This message and > any included attachments are from Cerner Corporation and are intended only > for the addressee. The information contained in this message is > confidential and may constitute inside or non-public information under > international, federal, or state securities laws. Unauthorized forwarding, > printing, copying, distribution, or use of such information is strictly > prohibited and may be unlawful. If you are not the addressee, please > promptly delete this message and notify the sender of the delivery error by > e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, > U.S.A at (+1) (816)221-1024. > > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org <mailto: > scap-security-guide@lists.fedorahosted.org> > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org <mailto: > scap-security-guide-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ < > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines < > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> > > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> > > > > > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org <mailto: > scap-security-guide@lists.fedorahosted.org> > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org <mailto: > scap-security-guide-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ < > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines < > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> > > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> > > > -- > > > Mark Thacker > > He/Him > > Team Lead & Security Experience Product Manager, Red Hat > Enterprise Linux > > Red Hat < > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> > > > mthac...@redhat.com <mailto:mthac...@redhat.com>   > M: +1-214-636-7004 <tel:+1-214-636-7004>   Twitter / > IRC: @thackman > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> > > > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org <mailto: > scap-security-guide@lists.fedorahosted.org> > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org <mailto: > scap-security-guide-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ < > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines < > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> > > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> > > > -- > > > Mark Thacker > > He/Him > > Team Lead & Security Experience Product Manager, Red Hat > Enterprise Linux > > Red Hat < > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> > > > mthac...@redhat.com <mailto:mthac...@redhat.com>   > M: +1-214-636-7004   Twitter / IRC: @thackman > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=k36w8dImXhR211kEZjaEM-BOryztJhHEjAfsn5dOToo&e=> > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org <mailto: > scap-security-guide@lists.fedorahosted.org> > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org <mailto: > scap-security-guide-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ < > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=rHvTwk8Zk5ddNG4nhLUNHKCGNhW58Jyab6h3rrK-XKA&e=> > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines < > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=bCYDCfFXnTixcuxaa7D3bgd69UOcffRlVGxvp43bbKk&e=> > > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=-zf1zdck1CLacFeYkvymJ_9mX8Ub31QPIr4KgF7bpJg&s=BDpyybgKu8ScdvZNy1iey3HKAr2k5GyoY8ZzW6arQPc&e=> > > > > > > -- > > Trevor Vaughan > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > -- This account not approved for unencrypted proprietary information -- > > This message and any enclosures are intended only for the addressee. > Please > notify the sender by email if you are not the intended recipient. If you > are > not the intended recipient, you may not use, copy, disclose, or distribute > this > message or its contents or enclosures to any other person and any such > actions > may be unlawful. Ball reserves the right to monitor and review all > messages > and enclosures sent to or from this email address. > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
