-----Original Message----- From: Jim Perrin Sent: Tuesday, April 28, 2015 20:45
On 04/28/2015 06:05 PM, Akemi Yagi wrote:
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes
johnny@centos.org wrote:
CentOS is not approved for DOD use. In fact, CentOS is
not now, nor has
it ever been *certified* for anything. Certifications
require people to
PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the
DOD, costs up to
2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact _on_cost_and_schedule
That cost would be for each main version of CentOS (2.1,
3, 4, 5, 6, and
- .. so the cost to have all 6 previous major versions
certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to
pay 15 million
dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along
with a Service
Level Agreement for fixing bugs is why people who require
any of those
things need to buy RHEL.
Incidentally, someone has just started a thread related to
DoD in the
RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
There have already been high level conversation between DISA JIE and RH CTO with regards to that. The short story RH is built to the greater good of their customers. DoD will have to continue to apply their configuration updates per STIG.
There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but
A good topic for another thread, we do that in our office.
there were all sorts of issues with that. While I'm not in sales, I feel safe in speculating that RH's sales folks work rather hard to make sure the DOD as a whole stays happy.
Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn't always fly in another even within a branch, let alone
There is a reciprocity between DAAs for ATOs. If any DAA has approved A then any other DAA can say ok because the other DAA said ok.
jumping between branches.
It is at these lower levels where resistance is encountered.
E.g. we do not use X because Y.
TL;DR. Answer varies wildly on approval because the DOD is a GIANT organization with multiple levels of interwoven regulations, networks, and varied systems.
Article is a bit dated, but I don't imagine the situation has improved since I stopped doing Defense consulting.
http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-nu
mbing-cyber-security-regs/
The securing of RH is the same as securing CentOS, but I strongly suggest purchasing RH when used in a all MAC I/II (https://en.wikipedia.org/wiki/Mission_assurance) systems and for all production systems.
The CJCS put out a memo to treat all OSS as COTS, but the responsibility is still on the systems' CONOPS to address (self) support of the OSS. This is why you should purchase RH, for the support.
-Jason