CIQ announced that users of both the community-driven Rocky Linux and Rocky Linux from CIQ can now leverage the security benefits of FIPS 140-3 compliance. Rocky Linux 8 and Rocky Linux 9.2 have been officially listed under the NIST Modules in Process (MIP) list following review by our lab partner, atsec. This significant achievement provides organizations an Enterprise Linux distribution with the assurance of a validated security posture for their critical workloads.

This FIPS 140-3 certification for Rocky Linux 8 and 9 offers several key benefits for organizations:

• Demonstrable Cryptographic Posture: Reduces liability and supports compliance with stringent enterprise and government security standards, effectively mitigating negligence risks.
• Increased Efficiency: Pre-hardened components minimize the time and specialized skills required to configure systems to meet rigorous organizational security needs and standards.

Compliance, particularly with standards like FIPS 140-3, is a mandatory requirement for a significant portion of enterprises and government agencies. Even for organizations where it is not mandated, achieving this compliance is crucial for building and maintaining customer trust. This compliance provides a valuable option for prospects within these sectors who are already utilizing Enterprise Linux distributions and have limited choices for a compliant operating system.

"FIPS 140-3 certification for a Linux distribution is a significant undertaking, and obtaining this for Rocky Linux 8 and 9 represents a substantial investment of time and effort from our team," said Gregory Kurtzer, CEO and founder of CIQ. "The process is meticulous, and I am incredibly proud of our work. We are now excited to support both the community-driven Rocky Linux and Rocky Linux from CIQ users. However, our work is just beginning. We will continuously provide updates to ensure all users have a path to ongoing security, and will work to deliver additional compliance with other standards for our customers and the community."

FIPS 140-3 encompasses key cryptographic modules essential for regulated environments, including the kernel, NSS, Libgcrypt, OpenSSL, and GnuTLS. These packages have been updated by CIQ with FIPS-compliant security patches and are a prerequisite for achieving FIPS 140-3 compliance in regulated workloads. When FIPS mode is enabled, strict algorithm restrictions are enforced, adhering to minimum standards for entropy and encryption strength as mandated by FIPS 140-3.

Additionally, the OpenSSL modules in both Rocky 8 and Rocky 9 have been enhanced by CIQ to add full FIPS 140-3 support for the EDDSA-based elliptic curve signing algorithm ED25519 and ED448, which is in addition to the upstream cryptographic support in the open source released versions. The OpenSSL module in Rocky 8 has been enhanced to be fully certified for TLS1.3 in FIPS mode.

"Rocky Linux is deployed massively through organizations that have strict compliance restrictions including the US Government," said Scott Shinn, Compliance and Security Team co-lead of Rocky Linux and CTO of Atomicorp. "The validation that FIPS provides to the Rocky Linux community is a massive testament to both Rocky Linux as a premier community-based Enterprise Linux operating system as well as CIQ, whose commitment to open source and Rocky Linux is clear. Thank you CIQ for making such an impactful investment to the community and supporting other security focused organizations like Atomicorp."

The FIPS 140-3 standard represents a significant evolution in cryptographic security from FIPS 140-2, imposing stricter algorithmic strength requirements to address increasing processing power and sophistication. Consequently, legacy algorithms with known vulnerabilities or insufficient security margins, such as SHA-1 for digital signatures, RSA keys smaller than 2048 bits, and Triple DES (3DES) encryption, have been deprecated or disallowed.

Artifacts and Links

All of the FIPS work that has been completed by the CIQ team is available as open source in a public repository on Github.