RENO, Nev., April 24, 2025 -- CIQ today announced that users of both the community-driven Rocky Linux and Rocky Linux from CIQ can now leverage the security benefits of FIPS 140-3 compliance. Rocky Linux 8 and Rocky Linux 9.2 have been officially listed under the NIST Modules in Process (MIP) list following review by our lab partner, atsec. This significant achievement provides organizations an Enterprise Linux distribution with the assurance of a validated security posture for their critical workloads.
This FIPS 140-3 certification for Rocky Linux 8 and 9 offers several key benefits for organizations:
- Demonstrable Cryptographic Posture: Reduces liability and supports compliance with stringent enterprise and government security standards, effectively mitigating negligence risks.
- Increased Efficiency: Pre-hardened components minimize the time and specialized skills required to configure systems to meet rigorous organizational security needs and standards.
Compliance, particularly with standards like FIPS 140-3, is a mandatory requirement for a significant portion of enterprises and government agencies. Even for organizations where it is not mandated, achieving this compliance is crucial for building and maintaining customer trust. This compliance provides a valuable option for prospects within these sectors who are already utilizing Enterprise Linux distributions and have limited choices for a compliant operating system.
"FIPS 140-3 certification for a Linux distribution is a significant undertaking, and obtaining this for Rocky Linux 8 and 9 represents a substantial investment of time and effort from our team," said Gregory Kurtzer, CEO and founder of CIQ. "The process is meticulous, and I am incredibly proud of our work. We are now excited to support both the community-driven Rocky Linux and Rocky Linux from CIQ users. However, our work is just beginning. We will continuously provide updates to ensure all users have a path to ongoing security, and will work to deliver additional compliance with other standards for our customers and the community."
FIPS 140-3 encompasses key cryptographic modules essential for regulated environments, including the kernel, NSS, Libgcrypt, OpenSSL, and GnuTLS. These packages have been updated by CIQ with FIPS-compliant security patches and are a prerequisite for achieving FIPS 140-3 compliance in regulated workloads. When FIPS mode is enabled, strict algorithm restrictions are enforced, adhering to minimum standards for entropy and encryption strength as mandated by FIPS 140-3.
Additionally, the OpenSSL modules in both Rocky 8 and Rocky 9 have been enhanced by CIQ to add full FIPS 140-3 support for the EDDSA-based elliptic curve signing algorithm ED25519 and ED448, which is in addition to the upstream cryptographic support in the open source released versions. The OpenSSL module in Rocky 8 has been enhanced to be fully certified for TLS1.3 in FIPS mode.
"Rocky Linux is deployed massively through organizations that have strict compliance restrictions including the US Government," said Scott Shinn, Compliance and Security Team co-lead of Rocky Linux and CTO of Atomicorp. "The validation that FIPS provides to the Rocky Linux community is a massive testament to both Rocky Linux as a premier community-based Enterprise Linux operating system as well as CIQ, whose commitment to open source and Rocky Linux is clear. Thank you CIQ for making such an impactful investment to the community and supporting other security focused organizations like Atomicorp."
The FIPS 140-3 standard represents a significant evolution in cryptographic security from FIPS 140-2, imposing stricter algorithmic strength requirements to address increasing processing power and sophistication. Consequently, legacy algorithms with known vulnerabilities or insufficient security margins, such as SHA-1 for digital signatures, RSA keys smaller than 2048 bits, and Triple DES (3DES) encryption, have been deprecated or disallowed.
Artifacts and Links
All of the FIPS work that has been completed by the CIQ team is available as open source in a public repository on Github.
Validation details for the Rocky Linux cryptographic modules are publicly available on the NIST website through the following links:
- Entropy Certificates: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/search?Vendor=ctrl+iq&ipp=25
- Cryptographic Algorithm Certificates (Approved Algorithms): https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?searchMode=implementation&vendor=ctrl+iq&productType=-1&ipp=25
- Modules on MIP list (search for "Rocky"): https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list
The final CMVP certificate will be accessible in the 'Validated Modules' section of the NIST website upon NIST's completion of the lab report validation in the future.
ABOUT CIQ
CIQ delivers secure and performant software infrastructure for the demands of all modern workloads, from the most mundane to the most extreme HPC and AI jobs. We believe infrastructure should drive the future of your business and that both the operating system of a single machine and the orchestration layer to manage a cluster of machines and even hybrid environments needs to be optimized for your requirements. We are an open source company who has started and/or contributed to critical infrastructure projects such as Rocky Linux, Warewulf, Ascender, and Apptainer.
This News is brought to you by Qube Mark, your trusted source for the latest updates and insights in marketing technology. Stay tuned for more groundbreaking innovations in the world of technology.
