Compliance automation

Run regulated and high security workloads on Ubuntu

Ubuntu Pro has been designed to simplify your security compliance burden for frameworks such as NIST, FedRAMP, PCI-DSS, ISO27001 or CIS. Pro includes security vulnerability patching for up to 12 years, FIPS-validated cryptographic modules, and automated system hardening for CIS and DISA STIG, and can be deployed on-premise or in the public cloud.

Contact us Read the documentation ›

Need information about the CRA? Canonical is committed to delivering Cyber Resilience Act (CRA) compliant Ubuntu. To learn more, contact our sales team.

Access certifications for high security environments

Ubuntu Pro provides access to FIPS 140 certified cryptographic packages, allowing you to deploy workloads that need to operate under compliance regimes like FedRAMP, HIPAA, and PCI-DSS. Canonical works with NIST-approved testing labs to certify the core cryptographic modules within Ubuntu for FIPS 140 requirements, enabling applications to use these libraries in compliance with the FIPS standard.

Explore our certifications

Automate hardening with the Ubuntu Security Guide

The default configuration of Ubuntu balances usability and security. However, systems carrying dedicated workloads can be further hardened to reduce their attack surface. Canonical provides the Ubuntu Security Guide to automatically harden systems to DISA STIG and CIS benchmarks profiles, and generate audit reports. Available with Ubuntu Pro on-premise or ready-built on public clouds.

See our compliance profiles

Fix security vulnerabilities across the estate

Each Ubuntu LTS release enables state of the art protection against vulnerability exploitation and malware. Canonical has a public vulnerability disclosure policy and vulnerabilities are fixed with automated security updates and kernel livepatches and publicly disclosed with our security notices. We further provide machine readable OVAL CVE output to be used by OpenSCAP and other 3rd party vulnerability management tools. Critical CVEs are typically patched within 24 hours.

See our security features

How does Ubuntu enable your compliance with FIPS, and DISA-STIG?

The operating system is the cornerstone of a security compliance programme. Ubuntu Pro enables functionality such as FIPS-certified crypto libraries and system hardening with the Ubuntu Security Guide to help meet stringent government security standards. Watch this webinar to find out more.

Maximizing security and compliance in the US public sector with Ubuntu Pro

Navigating the maze of complex compliance requirements facing the US Public Sector is a daunting prospect. Confusing abbreviations and terminology only make charting this course more difficult. If you’re looking to understand what FIPS, FedRAMP and DISA-STIG are all about, this whitepaper is for you.

Download the whitepaper
Whitepaper-Containers-Security

A guide to Infrastructure Hardening

The ever-present threats of ransomware and data breaches make it imperative to lock down systems and prevent attackers from gaining a foothold. Using industry best-practice guidelines such as the CIS benchmarks, this whitepaper will walk you through the process of hardening Linux-based deployments.

Download the whitepaper
Whitepaper-Containers-Security

Ubuntu compliance & hardening profiles

The default configuration of Ubuntu LTS releases balances between usability, performance and security. Mission-critical systems can be further hardened to reduce their attack surface. Reducing the attack surface is a widely accepted security best practice, and is often required by cybersecurity frameworks. Canonical works with industry leading organisations, such as CIS and DISA, to produce security hardening benchmarks for Ubuntu.

These security benchmarks contain hundreds of steps which can be prohibitively time-consuming to apply manually, so we provide the Ubuntu Security Guide (USG) - a tool based on OpenSCAP - to automate the process. USG can generate remediation scripts to harden a system in one procedure, as well as producing audit reports detailing the hardening rules that have been applied. USG profiles are available for CIS benchmarks and DISA STIGs.

Center for Internet Security (CIS) certified benchmarks for Ubuntu systems

USG profile:

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Defence Information System Agency (DISA) Security Technical Implementation Guides (STIGs)

USG profile:

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Configuration guides

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Contact us

Ubuntu FIPS certifications

We strive to make Ubuntu the platform of choice in regulated and high security environments. Ubuntu Pro enables access to the certification artifacts as well as the necessary tooling for such environments. The following is a list of the certifications available with Ubuntu Pro. Click on each for more detailed information.

FIPS 140-2 Level 1

These modules are NIST-certified:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
FIPS 140-3 Level 1

These modules have been assessed by a NIST-approved testing laboratory and are awaiting final certification by CMVP:

  • Ubuntu 22.04 LTS
Contact us

Frequently asked questions about security certifications

How do I harden my Ubuntu system?

Hardening always involves a tradeoff with usability and performance. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance and security. However, systems with a dedicated workload are well positioned to benefit from hardening. You can reduce your workload’s attack surface by applying an Industry accepted baseline. At Canonical we recommend applying the Center for Internet Security (CIS) benchmarks for hardening the configuration of Ubuntu.

How do I comply with PCI-DSS?

PCI-DSS is a payment industry standard and any company that stores, processes or transmits payment card or cardholder information is required to comply with it. The standard is defined by the Payment Card Industry council and defines measures and processes to secure online financial transactions. The standard is about making business as usual processes like monitoring of security controls, timely response, review of environmental and organizational changes, as well as review of hardware and software being under support by its vendors. For companies with large volumes of transactions compliance with the standard is enforced by an audit of a Qualified Security Assessor (QSA).

Achieving and maintaining compliance is a complex and costly process that involves business processes in addition to software requirements. Ubuntu by Canonical contains software and security controls, such as disk encryption, password settings configuration, cryptographic compliance with FIPS140-2, CIS hardening as well as a comprehensive Enterprise software maintenance program, to achieve and maintain compliance with the standard.

Contact us

Security Compliance and Certification documentation

Read the docs