On 04/28/2015 06:05 PM, Akemi Yagi wrote:
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes johnny@centos.org wrote:
CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_s...
That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and 7) .. so the cost to have all 6 previous major versions certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL.
Incidentally, someone has just started a thread related to DoD in the RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but there were all sorts of issues with that. While I'm not in sales, I feel safe in speculating that RH's sales folks work rather hard to make sure the DOD as a whole stays happy.
Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn't always fly in another even within a branch, let alone jumping between branches.
TL;DR. Answer varies wildly on approval because the DOD is a GIANT organization with multiple levels of interwoven regulations, networks, and varied systems.
Article is a bit dated, but I don't imagine the situation has improved since I stopped doing Defense consulting.
http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-numbing-cyber-se...