The recent changes with CentOS has caused FedRAMP to look a little more closely at CentOS. In particular, anyone leveraging the RHEL FIPS validation with CentOS will be declared invalid. It looks like I’m a bit late on posting this. I was informed by a commenter on another post of mine.
If you’re in a really tight bind, maybe you could try to leverage openssl(?). But overall, my thoughts are that the JAB is now strictly following which operating systems are listed with the validated module.
My first FedRAMP audit there wasn’t an AWS approved service for encryption keys. The auditors at the time really wanted to see us using our own HSM or something else on the approved list. Some good news to those of you in AWS, KMS is a good alternative these days.
These days I’m no longer involved in running the FedRAMP audits for my organization. Instead I’m building infrastructure and shipping product as quickly as possible. I might get a little behind, but I do still keep up to date with FedRAMP news.