–

Key Points for OpenShift bundled Products:

• Maintain RHEL 8-based solution on OCP 4.12: This is the only OCP version currently consuming FIPS-validated cryptographic modules.
• RHEL 8 Support: You can stay on RHEL 8 until September 2026. Rebasing on rhel86-els is optional; using ubi8:latest meets FIPS 140 requirements.
• RHEL 9 Support: Use the rhel-els base image to meet FIPS 140 requirements, specifically rhel9.2-els (optionally rhel94-els).
• Golang Operators: Follow the proper rules for compliance (link).
• Release Pipeline: It already tests for FIPS if your operator is "Designed for FIPS." Your solution should pass without error or warning.
• FIPS 140 subversions: You can mix FIPS 140-2 (RHEL 8-based) and FIPS 140-3 (RHEL 9-based) in the same solution.
• Staying on UBI9 is not an option
• If you have an operator that manages an OpenShift bundled product, the FIPS mandate applies to both the operator and the managed product (e.g. ACS, Quay)
• Disconnected support should mostly be automatic since release pipelines generates the relevant metadata and updates image references already
• Disconnected support will be mandated in the same way and with the same timelines as FIPS 140
• For operators or products that genuinely do not work or do not provide value in disconnected environments, permanent test waivers can be obtained

On disconnected support: we already claim compliance, however it should be double-checked, and have a testing procedure (preferably automated) to ensure it