RockyLinux 9 is not listed under Fips 140-3 in NIST

There is only Rocky8 listed under Fips 140-3 test in NIST.
Is Rocky Linux 9 is not under Fips 140-3 compliance test?

Thus is a great question and probably a lot of interest in the answer. we are not ignoring you, i’m just trying to get the right person here to answer. thanks for your patience.

1 Like

There has been discussion about this in other places. IIRC, someone said that the 9 process would begin once 8 has passed.

The OpenSSL project has a FIPS certificate for 3.0.8. It can be used as a module with the 3.x releases as long as it’s compiled with specific options. More information here:

This doesn’t resolve issues with libnss, the kernel, or other libs. They need their own certificates.

Alma has obtained a certificate. IIRC, they don’t have all the libs covered that RHEL has.

It seems like FIPS compliance would be one of those areas where OpenELA could collaborate and reduce the cost for everyone involved. I don’t understand the certification process. It’s crazy that the NIST requires all of the opensource communities to get the same certification multiple times. Based on my look through the IUT list, a lot of them have been under test for more than a year.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.