search

cloud-gov / product

Program-level artifacts, workflow and issues for cloud.gov
Creative Commons Zero v1.0 Universal
31 stars 15 forks source link

FIPS packages (ADR needed) (4/17) #1661

Closed LindsayYoung closed 2 years ago

LindsayYoung commented 2 years ago

Complete ADR for FIPS implementation

@pburkholder feel free to flesh out this card

pburkholder commented 2 years ago

There are two early phases for this work: 1) switching Terraform to using FIPS endpoints and 2) testing use of FIPS packages from Canonical in our system instantiation (e.g .part of cg-harden?).

pburkholder commented 2 years ago

New questions from JAB:

-- 1/20:  The TR Leads are still unclear about the current process CG is using to mitigate and manage FIPS 140-2 compliance using Ubuntu 18.04 and patching.  Would you provide that process for their review?

-- So far you have provided the briefing, certificate numbers being used vice deploying the OpenSSL 3.0 prior to its final certification (FIPS 140-2).  Ref attachments – note:  the links in the high level plan stopped working – could you provide link for further details in the plan? 

-- It appears that AWS (RT 53) is met > CG manages their transit portion using  internode TLS (using AWS-approved ciphers)?  > EBS, S3, RDS, Elasticache – Elasticsearch? (TR Leads not clear). 

-- Overall, provide clarification in terms of current mitigation to meet FIPS 140-2 compliance and CG’s proposed use of Ubuntu 18.04 and certificates?  What is fully being implemented right now?  Does this meet FIPS 140-2 compliance for now?  What specific monitoring is in place to prevent successful breach?
pburkholder commented 2 years ago

ToDo for week of 2/11 -

pburkholder commented 2 years ago

https://github.com/cloud-gov/cg-provision/pull/985 for FIPS endpoints in

mogul commented 2 years ago

Snoozing for a couple weeks to get more JAB/AWS/Canonical input

pburkholder commented 2 years ago

I've moved this from blocked because it's not really externally blocked. We should rescope this something that's doable in a sprint: such as file new Operational Requirements for relevant POA&Ms, or schedule recurring meeting with Canonical or VMWare.

pburkholder commented 2 years ago

We have provided the JAB with the what they need to assess our path, and we are working with Canonical regularly on what that looks like, so no work to be done that fits into an issue for now.