We are excited to announce that Rocky Linux has reached a significant step in the FIPS 140-3 validation process; right on schedule, Rocky Linux is now named in the NIST Implementation Under Test List.
Big thanks to our founding partner and sponsor CIQ, who has arranged and paid for the FIPS validation process and will be providing it back to the entire RESF/Rocky community. This is not a small effort, the FIPS validation is a million dollar investment and we’re very grateful for their contribution. Thank you CIQ!
Great news, however, I did wonder about two things:
I noted that it appears locked to 8.6 rather than a more generic 8. Would this mean that only 8.6 gets the FIPS certification rather than Rocky Linux 8? RHEL 8 does not have a specific sub version.
I also noted that RHEL had more components on the list: GnuTLS and Kernel Crypto API as well as the 3 Rocky Linux has (libgcrypt, NSS, OpenSSL). Will that also potentially have a long term affect?
RHEL is certified as minor versions, not sure why that doesn’t show up there. However it is listed correctly on Red Hat’s own website: Government Standards - Red Hat Customer Portal
I’ll dig around and see what the story is regarding components certified.