Document link:

• https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.6_release_notes/index
• https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/interactively_installing_rhel_from_installation_media/index

Section number and name: 

• Release Notes: Chapter 4: Important changes to external kernel parameters
• Installation: Part II. Manually installing Red Hat Enterprise Linux
  • Chapter 7. Booting the installation media 

Describe the issue:

Due to changes in how the DISA STIG Security Profile handles FIPS, it is no longer enabled at first boot. To be FIPS compliant, it must be enabled before installation starts. There is no mention in either the release notes for RHEL 9.6 or in the installation documentation. If a customer required hardening they will usual pick a security profile and use that to harden the system. Now that FIPS is not added to the kernel with the security profile, customers will be out of compliance without knowing it.

Impact of this issue:

This affects anyone using a Security Profile that enables FIPS, not just the DISA STIG. This will cause customers to be out of compliance, causing them to have to rebuild any system they have built with RHEL 9.6, expecting the Security Profile to have enabled it.

Suggestions for improvement:

Add a part in both the RHEL Release Notes and the Installation documentation stating to be FIPS compliant you must enable FIPS in the kernel before the installation GUI startts.