{"description": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.", "rationale": "The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS\nPUB 140-2) is a computer security standard. The standard specifies security\nrequirements for cryptographic modules used to protect sensitive\nunclassified information.  Refer to the full FIPS 140-2 standard at\n\n    <a xmlns='http://www.w3.org/1999/xhtml' href='http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf'>http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf</a>\nfor further details on the requirements.\nFIPS 140-2 validation is required by U.S. law when information systems use\ncryptography to protect sensitive government information. In order to\nachieve FIPS 140-2 certification, cryptographic modules are subject to\nextensive testing by independent laboratories, accredited by National\nInstitute of Standards and Technology (NIST).", "severity": "high", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-12(2)", "SC-12(3)", "IA-7", "SC-13", "CM-6(a)", "SC-12"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the installed operating system is not FIPS 140-2 certified", "ocil": "To verify that the installed operating system is supported or certified, run\nthe following command:\n\n<pre>$ grep -i \"ubuntu\" /etc/os-release</pre>\n\nThe output should contain something similar to:\n<pre>Ubuntu 22.04</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation besides switching to a different operating system."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "The Installed Operating System Is FIPS 140-2 Certified", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml", "template": null}