I always keep my eyes on what modules are undergoing FIPS validation. Here is an email sent to my teams…
A shortcoming of open source has always been the lack of validated security modules. Red Hat has recognized this shortcoming and submitted their products and libraries for FIPS validation. As we move to more secure enterprise solutions it will be important to remain aware of these products as to lean on them in our products. Using validated products removes the need to take a hit during C&A or seek waivers. Just a friendly FYI from your IA Architect:
- Red Hat Enterprise Linux 5 IPSec Cryptographic Module Red Hat 1
- Red Hat Enterprise Linux 5 Filesystem-Level Encryption Cryptographic module Red Hat 1
- Red Hat Enterprise Linux 5 Volume-Level Encryption Cryptographic Module Red Hat 1
- Red Hat Enterprise Linux 5 OpenSSH Cryptographic Module Red Hat 1
- Red Hat Enterprise Linux 5 libgcrypt Cryptographic Module Red Hat 1
- Red Hat Enterprise Linux 5 OpenSSL Cryptographic Module Red Hat 1
- Network Security Services (NSS) L2 Cryptographic Module Red Hat, Inc.
Why is this all important? All government systems are subject to the FISMA guidelines as well as some portion of NIST usually. Here is an excerpt from DISA:
There is a Government-Wide mandate for exclusive use of products validated by NIST for FIPS 140-1 or 140-2 conformance. This means that Government organizations that will use software products utilizing any form of software cryptography in protecting _“sensitive, but unclassified information” **_must** use products that are validated by NIST* as either 140-1 or 140-2 compliant. FIPS 140-2, “Security Requirements for Cryptographic Modules,” was released on May 25, 2001 and supercedes FIPS 140-1. However, agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002.