> -----Original Message----- > From: Jim Perrin > Sent: Tuesday, April 28, 2015 20:45 > > On 04/28/2015 06:05 PM, Akemi Yagi wrote: > > On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes > <johnny at centos.org> wrote: > > > >> CentOS is not approved for DOD use. In fact, CentOS is > not now, nor has > >> it ever been *certified* for anything. Certifications > require people to > >> PAY to certify a product. > >> > >> Specifically, EAL4 Certification, a requirement for the > DOD, costs up to > >> 2.5 million dollars .. see this link: > >> > >> > http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact > _on_cost_and_schedule > >> > >> That cost would be for each main version of CentOS (2.1, > 3, 4, 5, 6, and > >> 7) .. so the cost to have all 6 previous major versions > certified would be: > >> > >> 6 x $2.5 Million = $15 Million dollars. > >> > >> Since CentOS is given away for free ... I can't afford to > pay 15 million > >> dollars to have it EAL4 certified .. can anyone on this list? > >> > >> Certifications and security testing and assurance, along > with a Service > >> Level Agreement for fixing bugs is why people who require > any of those > >> things need to buy RHEL. > > > > Incidentally, someone has just started a thread related to > DoD in the > > RH community discussion session entitled, "A DoD version of RHEL - A > > money maker for RH? Maybe!" : > > > > https://access.redhat.com/comment/913243 There have already been high level conversation between DISA JIE and RH CTO with regards to that. The short story RH is built to the greater good of their customers. DoD will have to continue to apply their configuration updates per STIG. > > There have been similar requests in the past. At one point someone on > forge.mil was working on a rebuild which met STIG requirements, but A good topic for another thread, we do that in our office. > there were all sorts of issues with that. While I'm not in > sales, I feel > safe in speculating that RH's sales folks work rather hard to > make sure > the DOD as a whole stays happy. > > Jason and Johnny are both right, because the DOD is a rather large > entity with a stupidly complex array of regulations. What works in one > command doesn't always fly in another even within a branch, let alone There is a reciprocity between DAAs for ATOs. If any DAA has approved A then any other DAA can say ok because the other DAA said ok. > jumping between branches. It is at these lower levels where resistance is encountered. E.g. we do not use X because Y. > > TL;DR. Answer varies wildly on approval because the DOD is a GIANT > organization with multiple levels of interwoven regulations, networks, > and varied systems. > > Article is a bit dated, but I don't imagine the situation has improved > since I stopped doing Defense consulting. > > http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-nu mbing-cyber-security-regs/ > The securing of RH is the same as securing CentOS, but I strongly suggest purchasing RH when used in a all MAC I/II (https://en.wikipedia.org/wiki/Mission_assurance) systems and for all production systems. The CJCS put out a memo to treat all OSS as COTS, but the responsibility is still on the systems' CONOPS to address (self) support of the OSS. This is why you should purchase RH, for the support. -Jason