Why OS hardening is no longer enough: the case for infrastructure-level supply chain security

The attack surface your auditors ask about is not the one attackers use.

Enterprise Linux security has matured significantly. Organizations run hardened operating systems, enforce FIPS 140-3 validated cryptography, manage CVEs (Common Vulnerabilities and Exposures) with discipline, and generate audit evidence that satisfies compliance frameworks. That work matters. It is also incomplete.

The infrastructure beneath the OS, firmware, boot components, baseboard management controllers (BMCs), and vendor-supplied binaries, operates largely outside the reach of standard package scanning and CVE management tools. Vulnerabilities in that layer do not appear in OS-level patch reports. They do not get remediated by OS updates. Attackers who exploit firmware-level vulnerabilities can perform privileged code execution below the operating system, and deliver persistent malicious code that survives OS reinstallations. That is a category of risk that OS hardening, by design, cannot address. Source

This is why CIQ is announcing a strategic partnership with Binarly.

The gap between hardened and secure

The security industry has treated firmware as a niche concern for most of the past decade. That posture has changed, driven by concrete evidence rather than theoretical risk. Binarly's research has consistently surfaced high-severity vulnerabilities in UEFI firmware across enterprise device ecosystems, affecting hardware from multiple major vendors, and the pattern is structural, not incidental. The firmware supply chain is broadly broken, with known vulnerabilities that are extraordinarily difficult to fix at scale. Source

Binarly's Transparency Platform v3.0 fuses live threat intelligence signals with an exploitation-aware scoring system to help enterprise teams prioritize the mitigation of vulnerabilities with the most immediate risk. The platform performs binary-level analysis without requiring source code, which means it surfaces vulnerabilities in shipped software and vendor-supplied components that source-based scanning cannot reach. Source

That capability now integrates with CIQ's commercially supported, FIPS-validated Enterprise Linux platform to create a continuous chain of evidence and remediation from the firmware layer through the OS and into production operations.

Why this matters for enterprise Linux environments

Enterprise Linux is not a monolith. It runs on physical servers with firmware from a dozen different hardware vendors. It runs in virtualized environments where hypervisor and BMC security sit beneath everything the OS can observe. It runs in regulated industries where auditors increasingly require supply chain documentation that goes beyond package manifests.

The Software Bill of Materials (SBOM) requirement is illustrative. Regulatory frameworks and government procurement requirements now treat SBOMs as baseline documentation, not optional diligence. Binarly generates SBOMs and Cryptography Bill of Materials (CBOMs) at the binary level, including full transitive dependency mapping. CIQ contributes OS-level compliance evidence and FIPS 140-3 validated components through RLC Pro (Rocky Linux from CIQ Pro). Together, the integration gives security and compliance teams documentation that spans the full infrastructure stack, from firmware to OS, in a form auditors can act on.

Remediation structure matters as much as visibility. Detecting a firmware vulnerability is one problem. Knowing which systems are at highest risk, which vulnerabilities are actively exploitable, and how to move from finding to fix in a production environment is a separate, harder problem. The Binarly platform prioritizes risk with actionable context. CIQ's enterprise support model provides the operational framework to put that context into motion at scale.

Why now

The threat model for infrastructure has shifted. Sophisticated actors target the layers that traditional OS security tools do not monitor precisely because those layers are difficult to defend. Firmware security represents a single point of failure in devices and is one of the stealthiest methods by which attackers can compromise infrastructure at scale, with the ability to subvert OS and hypervisor visibility while persisting undetected for extended periods. Source

Simultaneously, the regulatory environment has raised the bar on what supply chain assurance requires. SBOMs, cryptographic inventories, and evidence of transitive dependency management are no longer aspirational. They are procurement and compliance requirements in an expanding set of industries and government contexts.

Organizations that run Rocky Linux on production infrastructure deserve a security posture that matches the seriousness of the environments they operate in. That posture requires coverage of the full stack, not just the OS layer.

The Binarly partnership closes the gap between what OS hardening delivers and what supply chain assurance actually requires. We are building this integration actively, with milestones planned across the CIQ product portfolio. More details will follow as the program matures.