Enable FIPS Mode

An XCCDF Rule

Description

OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag

fips: true

must be enabled at install time in the

install-config.yaml

file. If this rule fails on an installed cluster, then this is a permanent finding and cannot be fixed.

warning alert: Warning

The system needs to be rebooted for these changes to take effect.

warning alert: Regulatory Warning

This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_enable_fips_mode
Severity: High
References: CCI-000068 CCI-000803 CCI-002450

1446

CIP-003-8 R4.2 CIP-007-3 R5.1

CM-3(6) CM-6(a) IA-7 SC-12 SC-12(2) SC-12(3) SC-13

FCS_CKM.1 FCS_CKM.2 FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_RBG_EXT.1 FCS_TLSC_EXT.1

SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223

CCE-82540-6
Updated: about 1 year ago