[CentOS] CENTOS not DoD approved

Wed Apr 29 00:45:07 UTC 2015
Jim Perrin <jperrin at centos.org>


On 04/28/2015 06:05 PM, Akemi Yagi wrote:
> On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes <johnny at centos.org> wrote:
> 
>> CentOS is not approved for DOD use.  In fact, CentOS is not now, nor has
>> it ever been *certified* for anything.  Certifications require people to
>> PAY to certify a product.
>>
>> Specifically, EAL4 Certification, a requirement for the DOD, costs up to
>> 2.5 million dollars .. see this link:
>>
>> http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_schedule
>>
>> That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and
>> 7) .. so the cost to have all 6 previous major versions certified would be:
>>
>> 6 x $2.5 Million =  $15 Million dollars.
>>
>> Since CentOS is given away for free ... I can't afford to pay 15 million
>> dollars to have it EAL4 certified .. can anyone on this list?
>>
>> Certifications and security testing and assurance, along with a Service
>> Level Agreement for fixing bugs is why people who require any of those
>> things need to buy RHEL.
> 
> Incidentally, someone has just started a thread related to DoD in the
> RH community discussion session entitled, "A DoD version of RHEL - A
> money maker for RH? Maybe!" :
> 
> https://access.redhat.com/comment/913243
> 



There have been similar requests in the past. At one point someone on
forge.mil was working on a rebuild which met STIG requirements, but
there were all sorts of issues with that. While I'm not in sales, I feel
safe in speculating that RH's sales folks work rather hard to make sure
the DOD as a whole stays happy.

Jason and Johnny are both right, because the DOD is a rather large
entity with a stupidly complex array of regulations. What works in one
command doesn't always fly in another even within a branch, let alone
jumping between branches.

TL;DR. Answer varies wildly on approval because the DOD is a GIANT
organization with multiple levels of interwoven regulations, networks,
and varied systems.

Article is a bit dated, but I don't imagine the situation has improved
since I stopped doing Defense consulting.

http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-numbing-cyber-security-regs/




-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77