Canonical has achieved FIPS 140-2 Level 1 certification and Common Criteria EAL2. Defense Information System Agency (DISA) has also published Ubuntu Security Technical Implementation Guides (STIGs) which allow Ubuntu to be used by federal agencies. Further more, the Center for Internet Security (CIS) published benchmarks for hardening the configuration of Ubuntu systems.
FIPS certification and CIS compliance with Ubuntu
Learn about Ubuntu CIS and FIPS certified components to enable operating under compliance regimes like FedRAMP, HIPAA, PCI and ISO. Get all of your compliance questions answered in our upcoming webinar to ensure you and your team are, and remain, compliant.
FIPS 140-2 is a U.S. Government computer security standard. It defines security requirements related to the design and implementation of a cryptographic module. It is a requirement for U.S. Federal agencies to use FIPS 140-2 validated cryptography to protect sensitive information.
The standard puts stringent requirements on testing and ensuring that the cryptographic implementations meet the standards and work as expected. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's National Voluntary Laboratory Accreditation Program (NVLAP) in the US and CCCS's Cryptographic Module Validation Program (CMVP) in Canada. The validation testing for Ubuntu 18.04 LTS and 16.04 LTS was performed by atsec Information Security, a U.S. Government and BSI accredited laboratory.
Anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors and vendors, is required to use FIPS 140-2 compliant systems. FIPS 140-2 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services, healthcare, legal and manufacturing.
Canonical has validated the following cryptographic modules for Ubuntu 18.04 LTS (the modules are certified on Intel x86_64 and IBM Z hardware platforms):
- OpenSSH-Client validated level 1 March 2020 (#3633)
- OpenSSH-Server validated level 1 March 2020 (#3632)
- OpenSSL validated level 1 Feb. 2020 (#3622)
- Kernel Crypto API validated level 1 April 2020 (#3647)
- Azure Kernel Crypto API validated level 1 July 2020 (#3683)
- AWS Kernel Crypto API validated level 1 June 2020 (#3664)
- Strongswan validated level 1 April 2020 (#3648)
- Libgcrypt validated level 24 Nov 2020 (#3748)
Canonical has validated the following cryptographic modules for Ubuntu 16.04 LTS (the modules are certified on Intel x86_64, IBM Power8 and IBM Z hardware platforms):
Common Criteria (CC) for Information Technology Security Evaluation is an international standard (ISO/IEC IS 15408) for computer security certification, used by Federal agencies, financial institutions and many other organizations dealing with sensitive data. It validates that a product satisfies a defined set of security requirements.
Ubuntu 18.04 LTS and 16.04 LTS have both been evaluated to assurance level EAL2 through CSEC – The Swedish Certification Body for IT Security. The consulting and evaluation testing was performed by atsec Information Security. The CSEC certification reports for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS are available on the CSEC website for more information. The evaluation was performed on Intel x86_64, IBM Power8 (16.04 LTS only) and IBM Z hardware platforms.
Security Technical Implementation Guides (STIG) are developed by the Defense Information System Agency (DISA) for the U.S. Department of Defense (DoD). They are configuration guidelines for hardening systems to improve security. They contain technical guidance which when implemented, locks down software and systems to mitigate malicious attacks.
DISA has, in conjunction with Canonical, developed STIGs for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Center for Internet Security (CIS) is a non-profit organization that uses a consensus process to release benchmarks to safeguard organizations against cyber attacks. The benchmark contains configuration checklists to harden a system making it less vulnerable to malicious attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development.
Each benchmark undergoes two phases of consensus review. In the first phase, a benchmark is drafted with the help of subject matter experts and an initial version of the benchmark is published. In the second phase, feedback from the wider internet community is reviewed and incorporated into the benchmark. Canonical has actively participated in the drafting benchmarks of Ubuntu 16.04,Ubuntu 18.04 and Ubuntu 20.04. CIS has also published benchmarks for Ubuntu 12.04 and 14.04 releases.