Feature Overview (aka. Goal Summary)  

An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

Red Hat recently addressed an issue with FIPS-readiness of core go OpenShift binaries. As part of that work, engineering developed a scanner to validate FIPS-readiness for these binaries and plans to make this scanner easily available to all OpenShift customers. https://access.redhat.com/security/cve/cve-2023-3089 

Goals (aka. expected user outcomes)

The observable functionality that the user now has as a result of receiving this feature. Complete during New status.

OpenShift customers can deploy the FIPS-readiness scanner to their clusters, easily use it to verify the status (FIPS ready or not) of go binaries delivered by Red Hat and easily provide those results to their auditor. 

Requirements (aka. Acceptance Criteria):

A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

• The FIPS scanner (https://github.com/openshift/check-payload) is available from the Red Hat Catalog for deployment to any OpenShift cluster. 
• The manual steps provided in the following document for static testing are automated and easily executed by customers. https://docs.google.com/document/d/154dz-Ipun8Mzb0alOwQN2AUakRBRQZKzdferLHyJads/edit?usp=sharing 
• The results are returned and stored for future reference.

Use Cases (Optional):

Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

Scan RH binaries that RH claims are FIPS compliant to verify FIPS readiness.

Include this check as part of the Compliance Operator profile for scanning for FISMA moderate and FISMA high compliance. 

Questions to Answer (Optional):

Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

Determine the best way to productize the scanner. Options include delivering as part of the optional Compliance Operator. 

Determine whether there is a way to warn if a patch that is about to be applied will violate FIPS compliance for a binary that is currently FIPS compliant. For example, deploying an update that includes an OpenSSL version that is not yet FIPS validated would change the compliance status. For this to be useful, we would need to check the binary prior to its being deployed. This use case may be better served via ACS which already integrates with container registries. 

Out of Scope

High-level list of items that are out of scope.  Initial completion during Refinement status.

Checks that can only be run in the Red Hat build/CI and not on the final binary. 

Background

Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

Addressing this issue took significant engineering effort. We want to increase customer's trust in our deliverables in future by enabling them to validate the status for themselves. 

Customer Considerations

Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

FIPS is required for most US Government customers and for many commercial customers who sell to the US Government. Customers need a way to demonstrate compliance to their auditors. 

Documentation Considerations

Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

Documentation on deployment, running the scanner, and understanding results is required. 

Interoperability Considerations

Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

The ACS team has expressed interest in making this functionality available to customers to validate their custom workloads. This would be a differentiator for ACS. Integrating the scanner with the Compliance Operator would simplify the ability for ACS to leverage this work for custom workloads.