The Installed Operating System Is FIPS 140-2 Certified

An XCCDF Rule

Description

To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards.

warning alert: Warning

There is no remediation besides switching to a different operating system.

warning alert: Regulatory Warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a computer security standard. The standard specifies security requirements for cryptographic modules used to protect sensitive unclassified information. Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on the requirements. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to extensive testing by independent laboratories, accredited by National Institute of Standards and Technology (NIST).

ID: xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified
Severity: High
References: CCI-000803 CCI-002450

CIP-003-8 R4.2 CIP-007-3 R5.1

CM-6(a) IA-7 SC-12 SC-12(2) SC-12(3) SC-13

CCE-80657-0
Updated: about 1 year ago