We are very excited about Rocky Linux but we require our OS to be FIPS 140-2 certified/validated because of our requirements from our customers. We are currently running the latest CentOS 8. We are investigating moving away from CentOS 8 and Rocky Linux has some great potential but I cannot investigate/use Rocky Linux if it doesn’t support FIPS 140-2. Are their any plans to fully support this like CentOS 8 anytime soon?
Rocky Linux supports the same FIPS mode configuration as EL8, but it is not yet validated. FIPS validation is on our roadmap.
Also, you may want to discontinue using CentOS immediately. CentOS is not FIPS validated. FIPS validated Linux crypto modules are listed on https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
I realize this is an older post. Do you have any idea of the timeline for FIPS validation? Timelines are closing quickly to migrate.
FIPS validation is not a fast process. We recently started that ball rolling and it will take a little over a year.
FIPS Validation is very important. Rocky Linux should have a dedicated page about FIPS and the process and current status of FIPS validation [keeping it updated of course]. Having a dedicated page will make it easier for people to find.
Governments are now starting to ask for FIPS 140-3 to superseded FIPS-140-2 [Which FIPS 140-2 will not be validated by CMVP after September 21, 2026]. If you are going to start the validation process, please go for FIPS 140-3 validation.
Has there been a submission to NIST as of yet?
@boris yes, we are pursing 140-3 to start with.
@jimmyg20794 it is not yet submitted to NIST, we are still pre-IUT. When the IUT results are submitted to NIST it will show up on the CMVP MIP list.
Thank you for the information…
Just to let you know, Rocky will not be on the ‘allowed OS list’ until the submission is at least in the ‘Coordination’ or ‘Review Pending’ status.
Is there a time line for submission?
We are excited to announce that Rocky Linux has reached a significant step in the FIPS 140-3 validation process; right on schedule, Rocky Linux is now named in the NIST Implementation Under Test List.
Big thanks to our founding partner and sponsor CIQ, who has arranged and paid for the FIPS validation process and will be providing it back to the entire RESF/Rocky community. This is not a small effort, the FIPS validation is a million dollar investment and we’re very grateful for their contribution. Thank you CIQ!
Thank you for the update, @brian !
@brian That’s fantastic news. Will FIPS 140-3 validation be supported in the upcoming Rocky Linux 9? This will be important.