A note of clarification, for the FIPS certification, the hardware that the software is built on matters so re-rolling it yourself and/or the CentOS "binary compatible" rolls aren't part of the certified package.
Do they meet the functional requirements....probably. Do they meet the legal requirements (NIST 800-53, etc...)....no. Trevor On Wed, Jan 6, 2021 at 9:51 AM Mark Thacker <[email protected]> wrote: > Hello all, > > > A few of items of discussion here: > > > 1. Red Hat validates the shipped crypto modules in RHEL itself. CentOS > Stream is the evolving next release of those same modules. However, because > CentOS Stream is a developer-focused, evolving project, Red Hat will not be > validating the CentOS Stream modules themselves. Any issues, bugs, > functional or security problems discovered in CentOS Stream (including the > crypto modules) would indeed be filed as bugs, and addressed in CentOS and > RHEL. > > > 2. While OpenSCAP and the profiles we build will be included in CentOS > Stream, they are treated as upstream from a support perspective. Our work > flow still starts with the Compliance As Code GIT repository upstream, > through CentOS Stream and into RHEL. > > > 3. To be clear, code modifications and changes required to obtain > certifications such as FIPS and Common Criteria will certainly be reflected > in CentOS Stream (as all changes are, with the exception of embargoed > content). But the certifications themselves will only ever be done on > RHEL itself as that is the stable, long term supported release. > > > > On 1/5/21 5:30 PM, Jeffrey Hawkins wrote: > > Hi Mark, > > Related topic.... > > Do you know if the FIPS Software Modules/Libraries that RedHat certifies > RHEL8.x will be included in CENTOS Stream (similar to existing CENTOS > approach), or will CENTOS Stream have different Crypto Software?   > Also, any nuances or strategy changes we may need to be aware of as to > OpenScap and Benchmarks for CENTOS Stream? > > Jeff > > ------------------------------ > *From:* Mark Thacker <[email protected]> <[email protected]> > *Sent:* Sunday, December 27, 2020 8:05 AM > *To:* SCAP Security Guide <[email protected]> > <[email protected]>; Ted Brunell > <[email protected]> <[email protected]> > *Subject:* Re: Any rumors on next draft for RHEL 8 STIG from DISA? >  > > Hi all, > > An update : > > * RHEL 8 Common Criteria is in process and we expect to complete and > announce in EARLY Q1 CY2021 > > * RHEL 8 FIPS is finishing now! Actually, two of our certs are in hand now > for RHEL 8 with three more in the final stages (in Coordination state). We > expect to push a press release when we have all of the module validation > certificates completed. > > Again, expect that we will announce more publicly when we have completed > the certifications for each of these standards. > > > On 12/2/20 4:30 PM, Ted Brunell wrote: > > I cannot really talk much about CC and FIPS, but the STIG is expected to > be published by DISA (based on the draft STIG content on RHEL 8.2 and 8.3) > sometime early next year. > > DISA may be able to provide a more concise timeframe. ( > [email protected]). > > R/ > > Ted Brunell > > > > > On Wed, Dec 2, 2020 at 12:14 PM Hayden,Robert <[email protected]> wrote: > > Curious on if anyone has any information on the next draft release from > DISA on RHEL 8 STIG benchmarks? The one in May was pretty rough and did > not really match where the current upstream was moving towards. > >  > > Thanks in advance > > Robert > >  > > *Robert Hayden* | Lead Technology Architect | Cerner Corporation > >  >  > > CONFIDENTIALITY NOTICE This message and any included attachments are from > Cerner Corporation and are intended only for the addressee. The information > contained in this message is confidential and may constitute inside or > non-public information under international, federal, or state securities > laws. Unauthorized forwarding, printing, copying, distribution, or use of > such information is strictly prohibited and may be unlawful. If you are not > the addressee, please promptly delete this message and notify the sender of > the delivery error by e-mail or you may call Cerner's corporate offices in > Kansas City, Missouri, U.S.A at (+1) (816)221-1024. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > scap-security-guide mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > -- > > Mark Thacker > > He/Him > > Team Lead & Security Experience Product Manager, Red Hat Enterprise Linux > > Red Hat <https://www.redhat.com> > > [email protected]  > M: +1-214-636-7004   Twitter / IRC: @thackman > <https://www.redhat.com> > > _______________________________________________ > scap-security-guide mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > -- > > Mark Thacker > > He/Him > > Team Lead & Security Experience Product Manager, Red Hat Enterprise Linux > > Red Hat <https://www.redhat.com> > > [email protected]  > M: +1-214-636-7004   Twitter / IRC: @thackman > <https://www.redhat.com> > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
