nowhere does it say that centos is approved for use in DoD. it is not on the APL, only RedHat and SuSE
On 4/28/2015 9:49 AM, bobby Orellano wrote:
nowhere does it say that centos is approved for use in DoD. it is not on the APL, only RedHat and SuSE
DoD approval requires spending lots of money jumping through arbitrary hoops. Do you wish to pay for this?
skimming the requirements, it also requires extensive documentation of said 'Product'. Do you wish to write this?
On 04/28/2015 02:30 PM, John R Pierce wrote:
On 4/28/2015 9:49 AM, bobby Orellano wrote:
nowhere does it say that centos is approved for use in DoD. it is not on the APL, only RedHat and SuSE
DoD approval requires spending lots of money jumping through arbitrary hoops. Do you wish to pay for this?
skimming the requirements, it also requires extensive documentation of said 'Product'. Do you wish to write this?
CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_s...
That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and 7) .. so the cost to have all 6 previous major versions certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL.
Thanks, Johnny Hughes
-----Original Message----- From: Johnny Hughes Sent: Tuesday, April 28, 2015 18:10
On 04/28/2015 02:30 PM, John R Pierce wrote:
On 4/28/2015 9:49 AM, bobby Orellano wrote:
nowhere does it say that centos is approved for use in
DoD. it is not on
the APL, only RedHat and SuSE
DoD approval requires spending lots of money jumping
through arbitrary
hoops. Do you wish to pay for this?
skimming the requirements, it also requires extensive
documentation of
said 'Product'. Do you wish to write this?
I have. (well not EAL4, but I have ATOs with Centos 6)
CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_s...
To clarify, you do not need to be EAL4 Certified to be used at DoD, you need approval from your DAA (http://en.wikipedia.org/wiki/Designated_Approving_Authority). And your systems will need an ATO (https://ia.signal.army.mil/docs/DIACAPdefinitions.pdf).
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes johnny@centos.org wrote:
CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_s...
That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and 7) .. so the cost to have all 6 previous major versions certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL.
Incidentally, someone has just started a thread related to DoD in the RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
https://access.redhat.com/comment/913243
Akemi
On 04/28/2015 06:05 PM, Akemi Yagi wrote:
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes johnny@centos.org wrote:
CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_s...
That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and 7) .. so the cost to have all 6 previous major versions certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL.
Incidentally, someone has just started a thread related to DoD in the RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but there were all sorts of issues with that. While I'm not in sales, I feel safe in speculating that RH's sales folks work rather hard to make sure the DOD as a whole stays happy.
Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn't always fly in another even within a branch, let alone jumping between branches.
TL;DR. Answer varies wildly on approval because the DOD is a GIANT organization with multiple levels of interwoven regulations, networks, and varied systems.
Article is a bit dated, but I don't imagine the situation has improved since I stopped doing Defense consulting.
http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-numbing-cyber-se...
-----Original Message----- From: Jim Perrin Sent: Tuesday, April 28, 2015 20:45
On 04/28/2015 06:05 PM, Akemi Yagi wrote:
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes
johnny@centos.org wrote:
CentOS is not approved for DOD use. In fact, CentOS is
not now, nor has
it ever been *certified* for anything. Certifications
require people to
PAY to certify a product.
Specifically, EAL4 Certification, a requirement for the
DOD, costs up to
2.5 million dollars .. see this link:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact _on_cost_and_schedule
That cost would be for each main version of CentOS (2.1,
3, 4, 5, 6, and
- .. so the cost to have all 6 previous major versions
certified would be:
6 x $2.5 Million = $15 Million dollars.
Since CentOS is given away for free ... I can't afford to
pay 15 million
dollars to have it EAL4 certified .. can anyone on this list?
Certifications and security testing and assurance, along
with a Service
Level Agreement for fixing bugs is why people who require
any of those
things need to buy RHEL.
Incidentally, someone has just started a thread related to
DoD in the
RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
There have already been high level conversation between DISA JIE and RH CTO with regards to that. The short story RH is built to the greater good of their customers. DoD will have to continue to apply their configuration updates per STIG.
There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but
A good topic for another thread, we do that in our office.
there were all sorts of issues with that. While I'm not in sales, I feel safe in speculating that RH's sales folks work rather hard to make sure the DOD as a whole stays happy.
Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn't always fly in another even within a branch, let alone
There is a reciprocity between DAAs for ATOs. If any DAA has approved A then any other DAA can say ok because the other DAA said ok.
jumping between branches.
It is at these lower levels where resistance is encountered.
E.g. we do not use X because Y.
TL;DR. Answer varies wildly on approval because the DOD is a GIANT organization with multiple levels of interwoven regulations, networks, and varied systems.
Article is a bit dated, but I don't imagine the situation has improved since I stopped doing Defense consulting.
http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-nu
mbing-cyber-security-regs/
The securing of RH is the same as securing CentOS, but I strongly suggest purchasing RH when used in a all MAC I/II (https://en.wikipedia.org/wiki/Mission_assurance) systems and for all production systems.
The CJCS put out a memo to treat all OSS as COTS, but the responsibility is still on the systems' CONOPS to address (self) support of the OSS. This is why you should purchase RH, for the support.
-Jason
On Tue, Apr 28, 2015 at 4:05 PM, Akemi Yagi amyagi@gmail.com wrote:
Incidentally, someone has just started a thread related to DoD in the RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" :
A new comment has been posted by a person who is "one of the ones who writes the STIGs for Red Hat, working out of Red Hat's U.S. Public Sector group":
https://access.redhat.com/comment/913583#comment-913583
Akemi
On Tue, Apr 28, 2015 at 04:49:41PM +0000, bobby Orellano wrote:
nowhere does it say that centos is approved for use in DoD. it is not on the APL, only RedHat and SuSE
There's also no place that states that CentOS is a flotation device to be used in the event of a water landing. Your point?
Do you think it should be? (I mean DoD approval. I'm ambivalent about using CentOS as a life preserver.)
-----Original Message----- From: bobby Orellano Sent: Tuesday, April 28, 2015 12:50
nowhere does it say that centos is approved for use in DoD.
Nowhere is a very large place, and I can say that is incorrect.
it is not on the APL, only RedHat and SuSE
If you would like assistance in approving CentOS for "your" use please provide more details.
If you cannot provide details on this list, please send me an signed (and encrypted if needed) mail from your official email address.
CentOS is in very wide use at DoD.
v/r,
Jason Pyeron
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
-
Akemi Yagi -
bobby Orellano -
Jason Pyeron -
Jim Perrin -
John R Pierce -
Johnny Hughes -
Jonathan Billings -
Miguel Medalha