NIST and FIPS compliance
carmel_ny at outlook.com
Tue Apr 9 13:19:42 UTC 2019
On Tue, 9 Apr 2019 10:04:23 +0100, Matthew Seaman stated:
>On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote:
>> I find the whole idea of NIST and FIPS to fly in the face of OSS
>> sanity. However, should there not be a switch in all ports and the OS
>> for things to be built with a FIPS compliant encryption module?
>> Seriously, like the openssl-2.0-fips module? I know it's annoying but
>> the US and Canadian Govts are demanding this of all vendors and
>> contractors. RH/CentOS is already compliant with this stupidity and,
>> sadly, I think it should be considered.
>> And, if this was done, it would allow all derivations of the FreeBSD
>> to be able to access this. I'm trying for FreeNAS to be used in such
>> an environment.
>This is definitely an idea that should be considered further. You
>might want to start a discussion on the freebsd-arch@ or
>freebsd-ports@ mailing lists -- as those are the places you're likely
>to reach the most relevant audience.
>I don't know off hand what is required for FIPS compliance --
>presumably this entails some sort of certification by a standardizing
>body that (given certain conditions) a system is compliant -- and that
>is almost certainly going to cost some amount of money.
>Whether it is possible to get certification for a generic system, or
>whether each different installation needs to be separately certified
>has always been a key question. Also whether having some sort of
>'pre-certification' for the baseline system is a possibility in the
>latter case would be good to know.
>Ultimately this is going to come down to two things:
> * People with the technical skills required being prepared to
>volunteer their time.
> * Money to pay for whatever level of certification we could
>There's a trade-off here between the cost and effort required and the
>resulting benefits. If this needs money, then the FreeBSD Foundation
>should be involved, and they are going to want to see a well-argued
>business case before signing any cheques.
I don't know if this will be of any use to you Matthew.
Interestingly enough, Win 10 Pro has an option to enable FIPS;
however, even Microsoft says not to enable it unless you absolutely
have to; i.e., government compliance.
RH/CentOS are already compliant apparently. It would seem
counterproductive for FreeBSD not to be also. In any case, its use
should be made optional.
More information about the freebsd-questions