Closed LindsayYoung closed 2 years ago
There are two early phases for this work: 1) switching Terraform to using FIPS endpoints and 2) testing use of FIPS packages from Canonical in our system instantiation (e.g .part of cg-harden?).
New questions from JAB:
-- 1/20: The TR Leads are still unclear about the current process CG is using to mitigate and manage FIPS 140-2 compliance using Ubuntu 18.04 and patching. Would you provide that process for their review?
-- So far you have provided the briefing, certificate numbers being used vice deploying the OpenSSL 3.0 prior to its final certification (FIPS 140-2). Ref attachments – note: the links in the high level plan stopped working – could you provide link for further details in the plan?
-- It appears that AWS (RT 53) is met > CG manages their transit portion using internode TLS (using AWS-approved ciphers)? > EBS, S3, RDS, Elasticache – Elasticsearch? (TR Leads not clear).
-- Overall, provide clarification in terms of current mitigation to meet FIPS 140-2 compliance and CG’s proposed use of Ubuntu 18.04 and certificates? What is fully being implemented right now? Does this meet FIPS 140-2 compliance for now? What specific monitoring is in place to prevent successful breach?
ToDo for week of 2/11 -
https://github.com/cloud-gov/cg-provision/pull/985 for FIPS endpoints in
Snoozing for a couple weeks to get more JAB/AWS/Canonical input
I've moved this from blocked because it's not really externally blocked. We should rescope this something that's doable in a sprint: such as file new Operational Requirements for relevant POA&Ms, or schedule recurring meeting with Canonical or VMWare.
We have provided the JAB with the what they need to assess our path, and we are working with Canonical regularly on what that looks like, so no work to be done that fits into an issue for now.
Complete ADR for FIPS implementation
@pburkholder feel free to flesh out this card