On Mon, 2010-05-24 at 10:42 -0400, Edmon Begoli wrote: > Does anyone know if Fedora's HD encryption is, or could it be, compliant with > US NIST requirement for hard disk encryption included in NIST FIPS 140-2? > > http://csrc.nist.gov/groups/STM/cmvp/#05 > > Thanks. FIPS compliance testing is a cumbersome and expensive exercise in paperwork. It's usually farmed out to a 3rd party "independent lab" for upwards of $20K per cert. The only open source software project I know that has successfully obtained FIPS 140-2 compliance certification is OpenSSL, and they took on the task themselves. Note that the requirement for FIPS compliance was brought about by FISMA 2002. This law and NIST's implementation have been justly criticized for their emphasis on paperwork documentation in the certification and accreditation (C&A) process. Security experts estimate upwards of 80% of C&A budgets are being wasted on such "binder-ware". A new FISMA 2010 is making its way through Congress that will change that emphasis to more practical measures like pen-testing and automated status monitoring. --Doc Savage Fairview Heights, IL -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
