Merge pull request #12856 from mtruj013/security-fips

[copy update] /security/fips
canonical · May 11, 2023 · 38fd564 · 38fd564
2 parents 225f760 + 9859a35
commit 38fd564
Showing 1 changed file with 17 additions and 15 deletions.
diff --git a/templates/security/fips.html b/templates/security/fips.html
@@ -12,10 +12,10 @@
    <div class="col-8">
      <h1>FIPS for Ubuntu</h1>
      <h2 class="p-heading--4">FIPS 140 validated cryptography for Linux workloads on Ubuntu</h2>
-     <p>Developing and running Linux workloads for U.S. government regulated and high-security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of <a href="/cloud/public-cloud">Ubuntu Pro</a> and <a href="/pro">Ubuntu Advantage</a>.</p>
+     <p>Developing and running Linux workloads for U.S. government regulated and high-security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of <a href="/pro">Ubuntu Pro on-premise</a> or on <a href="/cloud/public-cloud">Public Clouds</a>.</p>
      <p>
       <a href="/security/contact-us" class="p-button--positive js-invoke-modal">Contact us</a>
-      <a href="/pro" class="p-button">Get Ubuntu Advantage</a>
+      <a href="/pro" class="p-button">Get Ubuntu Pro</a>
      </p>
    </div>
    <div class="col-4 u-hide--medium u-hide--small u-align--center">
@@ -38,21 +38,21 @@ <h2 class="p-heading--4">FIPS 140 validated cryptography for Linux workloads on
       <h3 class="p-card__title p-heading--3">Run regulated workloads</h3>
       <hr class="u-sv1" />
       <p class="p-card__content">
-        U.S Federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. <a href="/cloud/public-cloud">Ubuntu Pro</a> and <a href="/pro">Ubuntu Advantage</a> provide FIPS 140 certified cryptographic packages.
+        U.S Federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. <a href="/pro">Ubuntu Pro</a> provides FIPS 140 certified cryptographic packages.
       </p>
     </article>
     <article class="col-4 p-card">
       <h3 class="p-card__title p-heading--3">Reduce your compliance costs</h3>
       <hr class="u-sv1" />
       <p class="p-card__content">
-        Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The <a href="/cloud/public-cloud">Ubuntu Pro</a> and <a href="/pro">Ubuntu Advantage</a> packages are validated on common CPU types and are also available for use on the <a href="/cloud/public-cloud">public cloud</a> with Ubuntu Pro FIPS.
+        Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The <a href="/pro">Ubuntu Pro</a> packages are validated on common CPU types and are also available for use on the <a href="/cloud/public-cloud">public cloud</a>.
       </p>
     </article>
     <article class="col-4 p-card">
       <h3 class="p-card__title p-heading--3">Get NIST certified compliance</h3>
       <hr class="u-sv1" />
       <p class="p-card__content">
-        FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) <a href="https://www.nist.gov/nvlap/" />Laboratory Accreditation Program (LAP)</a> in the US and <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program">CCCS’s Cryptographic Module Validation Program (CMVP)</a> in Canada. <a href="/cloud/public-cloud">Ubuntu Pro</a> and <a href="/pro">Ubuntu Advantage</a> provide you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory.
+        FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) <a href="https://www.nist.gov/nvlap/" />Laboratory Accreditation Program (LAP)</a> in the US and <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program">CCCS’s Cryptographic Module Validation Program (CMVP)</a> in Canada. <a href="/pro">Ubuntu Pro</a> provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory.
       </p>
     </article>
   </div>
@@ -67,7 +67,7 @@ <h3 class="p-card__title p-heading--3">Get NIST certified compliance</h3>
 <section class="p-strip--light">
   <div class="u-fixed-width">
     <h2>What is FIPS?</h2>
-    <p>FIPS 140-2 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's   <a href="https://www.nist.gov/nvlap/">National Voluntary Laboratory Accreditation Program (NVLAP)</a> in the US and <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program">CCCS's Cryptographic Module Validation Program (CMVP)</a> in Canada.</p>
+    <p>FIPS 140 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's   <a href="https://www.nist.gov/nvlap/">National Voluntary Laboratory Accreditation Program (NVLAP)</a> in the US and <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program">CCCS's Cryptographic Module Validation Program (CMVP)</a> in Canada.</p>
     <p>FIPS 140-2 is required under multiple compliance regimes, such as the Federal Risk and Authorization Management Program (FedRAMP), the Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).</p>
   </div>
 </section>
@@ -148,19 +148,22 @@ <h2 id="public-cloud">Access FIPS images on the public cloud</h2>
       </div>
     </div>
   </div>
+  <div class="u-fixed-width" style="padding-top: 2rem;">
+    <p>Interested in FIPS for container images? <a href="/blog/fips-ubuntu-container-security-updates">Read more on this blog</a>.</p>
+  </div>
 </section>
 
 <section class="p-strip">
   <div class="u-fixed-width">
     <h2 id="modules">Certified packages under FIPS 140</h2>
-    <p class="u-sv3">The following list contains the FIPS 140 validated components that are available with <a href="/pro">Ubuntu Advantage</a> and <a href="/cloud/public-cloud">Ubuntu Pro</a>. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory.</p>
+    <p class="u-sv3">The following list contains the FIPS 140 validated components that are available with <a href="/pro">Ubuntu Pro</a>. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory.</p>
     <table class="u-sv3">
       <thead>
         <tr>
           <th></th>
           <th>Ubuntu 16.04 LTS<br>on x86-64, IBM Power8 and IBM Z</th>
           <th>Ubuntu 18.04 LTS<br>on x86-64 and IBM Z</th>
-          <th>Ubuntu 20.04 LTS<br>on x86-64 and IBM Z<sup><a href="#ibm">*</a></sup></th>
+          <th>Ubuntu 20.04 LTS<br>on x86-64 and IBM Z</th>
         </tr>
       </thead>
       <tbody>
@@ -174,7 +177,7 @@ <h2 id="modules">Certified packages under FIPS 140</h2>
             <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3647">#3647</a>, <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4018">#4018</a>, <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3664">#3664</a> (AWS),<br><a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3683">#3683</a> (Azure), <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3954">#3954</a> (GCP)
           </td>
           <td>
-            <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3928">#3928</a>, <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4132">#4132</a> (AWS), <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4126">#4126</a> (Azure), <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4127">#4127</a> (GCP)
+            <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4366">#4366</a>, <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4132">#4132</a> (AWS), <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4126">#4126</a> (Azure), <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4127">#4127</a> (GCP)
           </td>
         </tr>
         <tr>
@@ -186,7 +189,7 @@ <h2 id="modules">Certified packages under FIPS 140</h2>
             <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3633">#3633</a>
           </td>
           <td style="vertical-align: middle;" rowspan="3">
-            <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3966">#3966</a>
+            <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4292">#4292</a>
           </td>
         </tr>
         <tr>
@@ -233,7 +236,6 @@ <h2 id="modules">Certified packages under FIPS 140</h2>
         </tr>
       </tbody>
     </table>
-    <p id="ibm">*The IBM Z packages are <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List">under validation</a>.</p>
     <a class="p-button" href="/security/certifications/docs/fips">Read more about FIPS</a>
     <a class="p-button--positive" href="/pro">Access the FIPS validated modules</a>
   </div>
@@ -242,24 +244,24 @@ <h2 id="modules">Certified packages under FIPS 140</h2>
 <section class="p-strip--light">
   <div class="u-fixed-width">
     <h2>FIPS packages and security updates</h2>
-    <p>Each FIPS 140-2 certificate is valid for 5 years. However, vulnerabilities happen, and it is our intention to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check <a href="/security/certifications/docs/fips-enablement">our documentation pages on how to enable these options</a>.</p>
-    <p>We recommend enabling the 'fips-updates' option that includes the security fixes. The packages from the 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the <a href="/security/esm">Expanded Security Maintenance (ESM)</a> phase.</p>
+    <p>Each FIPS 140 certificate is valid for 5 years. However, vulnerabilities happen, and it is our goal to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check <a href="/security/certifications/docs/fips-enablement">our documentation pages on how to enable these options</a>.</p>
+    <p>We strongly recommend enabling the 'fips-updates' option that includes the security fixes. The packages from the 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the <a href="/security/esm">Expanded Security Maintenance (ESM)</a> phase.</p>
   </div>
 </section>
 
 
 <section class="p-strip">
   <div class="u-fixed-width">
     <h2>Free for personal use</h2>
-    <p>Canonical provides Ubuntu Advantage Essential subscriptions, which include FIPS, free of charge for individuals on up to 3 machines. For our community of Ubuntu members, we will gladly increase that to 50 machines.</p>
+    <p>Canonical provides Ubuntu Pro subscriptions, which include FIPS, free of charge for individuals on up to 5 machines. For our community of Ubuntu members, we will gladly increase that to 50 machines.</p>
     <a class="p-button--positive" href="/pro">Get a free subscription</a>
   </div>
 </section>
 
 <section class="p-strip--light">
   <div class="u-fixed-width">
     <h2>FIPS 140-3 and Ubuntu</h2>
-    <p class="u-sv3">In September 2021, NIST began phasing out FIPS 140-2. Certifications under FIPS 140-2 remain valid no longer than September 2026 and new products are expected to be certified <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards">under FIPS 140-3</a>. FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. Canonical is preparing Ubuntu for the new certification, and intends to provide FIPS 140-3 certified cryptographic packages on a future LTS release of Ubuntu.</p>
+    <p class="u-sv3">In September 2021, NIST phased out FIPS 140-2. Certifications under FIPS 140-2 will no longer be valid after September 2026 and new products are expected to be certified <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards">under FIPS 140-3</a>. FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. Canonical is preparing Ubuntu for the new certification, and will provide FIPS 140-3 certified cryptographic packages on future LTS releases of Ubuntu, starting with 22.04 Jammy Jellyfish.</p>
   </div>
 </section>