NIST and FIPS compliance

Carmel NY carmel_ny at
Tue Apr 9 13:19:42 UTC 2019

On Tue, 9 Apr 2019 10:04:23 +0100, Matthew Seaman stated:

>On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote:
>> I find the whole idea of NIST and FIPS to fly in the face of OSS
>> sanity. However, should there not be a switch in all ports and the OS
>> for things to be built with a FIPS compliant encryption module?
>> Seriously, like the openssl-2.0-fips module? I know it's annoying but
>> the US and Canadian Govts are demanding this of all vendors and
>> contractors.  RH/CentOS is already compliant with this stupidity and,
>> sadly, I think it should be considered.
>> And, if this was done, it would allow all derivations of the FreeBSD
>> to be able to access this.  I'm trying for FreeNAS to be used in such
>> an environment.  
>This is definitely an idea that should be considered further.  You
>might want to start a discussion on the freebsd-arch@ or
>freebsd-ports@ mailing lists -- as those are the places you're likely
>to reach the most relevant audience.
>I don't know off hand what is required for FIPS compliance --
>presumably this entails some sort of certification by a standardizing
>body that (given certain conditions) a system is compliant -- and that
>is almost certainly going to cost some amount of money.
>Whether it is possible to get certification for a generic system, or 
>whether each different installation needs to be separately certified
>has always been a key question.  Also whether having some sort of 
>'pre-certification' for the baseline system is a possibility in the 
>latter case would be good to know.
>Ultimately this is going to come down to two things:
>   * People with the technical skills required being prepared to 
>volunteer their time.
>   * Money to pay for whatever level of certification we could
> feasibly 
>There's a trade-off here between the cost and effort required and the 
>resulting benefits.  If this needs money, then the FreeBSD Foundation 
>should be involved, and they are going to want to see a well-argued 
>business case before signing any cheques.
>	Cheers,
>	Matthew

I don't know if this will be of any use to you Matthew.

Interestingly enough, Win 10 Pro has an option to enable FIPS;
however, even Microsoft says not to enable it unless you absolutely
have to; i.e., government compliance.

RH/CentOS are already compliant apparently. It would seem
counterproductive for FreeBSD not to be also. In any case, its use
should be made optional.


More information about the freebsd-questions mailing list