NIST and FIPS compliance
matthew at FreeBSD.org
Tue Apr 9 09:04:37 UTC 2019
On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote:
> I find the whole idea of NIST and FIPS to fly in the face of OSS
> sanity. However, should there not be a switch in all ports and the OS
> for things to be built with a FIPS compliant encryption module?
> Seriously, like the openssl-2.0-fips module? I know it's annoying but
> the US and Canadian Govts are demanding this of all vendors and
> contractors. RH/CentOS is already compliant with this stupidity and,
> sadly, I think it should be considered.
> And, if this was done, it would allow all derivations of the FreeBSD
> to be able to access this. I'm trying for FreeNAS to be used in such
> an environment.
This is definitely an idea that should be considered further. You might
want to start a discussion on the freebsd-arch@ or freebsd-ports@
mailing lists -- as those are the places you're likely to reach the most
I don't know off hand what is required for FIPS compliance -- presumably
this entails some sort of certification by a standardizing body that
(given certain conditions) a system is compliant -- and that is almost
certainly going to cost some amount of money.
Whether it is possible to get certification for a generic system, or
whether each different installation needs to be separately certified has
always been a key question. Also whether having some sort of
'pre-certification' for the baseline system is a possibility in the
latter case would be good to know.
Ultimately this is going to come down to two things:
* People with the technical skills required being prepared to
volunteer their time.
* Money to pay for whatever level of certification we could feasibly
There's a trade-off here between the cost and effort required and the
resulting benefits. If this needs money, then the FreeBSD Foundation
should be involved, and they are going to want to see a well-argued
business case before signing any cheques.
More information about the freebsd-questions