To gain CMMC compliance, the Red Hat Enterprise Linux 8 operating system or any of it's variants must enable FIPS mode. FIPS mode can be a difficult hurdle, where it doesn't have to be. While researching a recent problem that was encountered on a FIPS enabled system, more questions than answered were raised. As you progress through this article, you may see what is meant by the last statement.
What is FIPS?
A great summary of FIPS is provided by Red Hat as "[t]he Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules." While hardening the Red Hat operating system to fall into CMMC compliance,
What is CMMC?
"CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain." - Office of the Under Secretary of Defense for Acquistion & Sustainment.
System Hardening
Part of the system hardening enables FIPS mode. Part of that process includes running of a couple of commands. One command is the "update-crypto-policies" command. This command modifies the configuration file /etc/crypto-policies/config to FIPS:OSPP and should require a reboot.
/usr/bin/update-crypto-policies --set FIPS:OSPP
What is interesting about this FIPS:OSPP is that it is not listed in the man. What is listed are LEGACY, DEFAULT, FUTURE, and FIPS.
man crypto-policies
Reading through a Red Hat Customer Portal article, KeyExchange algorithm negotiation failed to access RHEL8 ssh server with FIPS:OSPP crypto policy enabled., there appears to be a significant difference between FIPS and FIPS:OSPP.
RHEL8's key exchange algorithm with FIPS crypto policy is enabled.
ecdh-sha2-nistp256,
ecdh-sha2-nistp384,
ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512RHEL8's key exchange algorithm when FIPS:OSPP crypto policy is enabled
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group14-sha256Note that there are fewer key exchanges.
Revert
If you have an issue that cannot be explained or resolved, then reset the crypt policies.
/usr/bin/update-crypto-policies --set DEFAULT