NIST and FIPS compliance

[Matthew Seaman]

On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote:
> I find the whole idea of NIST and FIPS to fly in the face of OSS
> sanity. However, should there not be a switch in all ports and the OS
> for things to be built with a FIPS compliant encryption module?
> Seriously, like the openssl-2.0-fips module? I know it's annoying but
> the US and Canadian Govts are demanding this of all vendors and
> contractors.  RH/CentOS is already compliant with this stupidity and,
> sadly, I think it should be considered.
> 
> And, if this was done, it would allow all derivations of the FreeBSD
> to be able to access this.  I'm trying for FreeNAS to be used in such
> an environment.

This is definitely an idea that should be considered further.  You might 
want to start a discussion on the freebsd-arch@ or freebsd-ports@ 
mailing lists -- as those are the places you're likely to reach the most 
relevant audience.

I don't know off hand what is required for FIPS compliance -- presumably 
this entails some sort of certification by a standardizing body that 
(given certain conditions) a system is compliant -- and that is almost 
certainly going to cost some amount of money.

Whether it is possible to get certification for a generic system, or 
whether each different installation needs to be separately certified has 
always been a key question.  Also whether having some sort of 
'pre-certification' for the baseline system is a possibility in the 
latter case would be good to know.

Ultimately this is going to come down to two things:

   * People with the technical skills required being prepared to 
volunteer their time.

   * Money to pay for whatever level of certification we could feasibly 
achieve.

There's a trade-off here between the cost and effort required and the 
resulting benefits.  If this needs money, then the FreeBSD Foundation 
should be involved, and they are going to want to see a well-argued 
business case before signing any cheques.

	Cheers,

	Matthew