HMS services to be scoped for impact here: Image Builder, Content Sources, Launch and soon Pulp.

We need to figure the requirements from ProdSec (contacts: Przemyslaw Roguski <proguski@redhat.com> & Jeremy West <jwest@redhat.com>) and scope the work from our side proactively.

From Perry Myers, Thu, Feb 29, 2024:

[FedRAMP] Insights and all of consoleDot has been dragged into FedRAMP (Compliance). This means a whole additional slew of RHEL components will be added to FedRAMP that we originally did not anticipate. We're waiting for a list to review next week. We know Ruby is impacted (as we found out about this via an escalation for a Ruby Moderate CVE that had been closed WONTFIX from back prior to moving to Jira). ProdSec realizes this was a communication issue and should have proactively told us before adding new scope to FedRAMP.

There are works in progress from Insights side (Frank Jansen), linking the tickets here for our reference to keep an eye on the common ground:

We're tracking the work on ensuring that the process includes all ConsoleDot services (incl. Insights/HMS) in RHIN-1185; at this time specifically we are focusing on the CVE mitigation work in RHINENG-8618.