On 04/28/2015 02:30 PM, John R Pierce wrote:> On 4/28/2015 9:49 AM, bobby Orellano wrote: >> nowhere does it say that centos is approved for use in DoD. it is not on >> the APL, only RedHat and SuSE > > > DoD approval requires spending lots of money jumping through arbitrary > hoops. Do you wish to pay for this? > > skimming the requirements, it also requires extensive documentation of > said 'Product'. Do you wish to write this?CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product. Specifically, EAL4 Certification, a requirement for the DOD, costs up to 2.5 million dollars .. see this link: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_schedule That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and 7) .. so the cost to have all 6 previous major versions certified would be: 6 x $2.5 Million = $15 Million dollars. Since CentOS is given away for free ... I can't afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list? Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150428/fe6bf9b2/attachment-0001.sig>
On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes <johnny at centos.org> wrote:> CentOS is not approved for DOD use. In fact, CentOS is not now, nor has > it ever been *certified* for anything. Certifications require people to > PAY to certify a product. > > Specifically, EAL4 Certification, a requirement for the DOD, costs up to > 2.5 million dollars .. see this link: > > http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_schedule > > That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and > 7) .. so the cost to have all 6 previous major versions certified would be: > > 6 x $2.5 Million = $15 Million dollars. > > Since CentOS is given away for free ... I can't afford to pay 15 million > dollars to have it EAL4 certified .. can anyone on this list? > > Certifications and security testing and assurance, along with a Service > Level Agreement for fixing bugs is why people who require any of those > things need to buy RHEL.Incidentally, someone has just started a thread related to DoD in the RH community discussion session entitled, "A DoD version of RHEL - A money maker for RH? Maybe!" : https://access.redhat.com/comment/913243 Akemi
On 04/28/2015 06:05 PM, Akemi Yagi wrote:> On Tue, Apr 28, 2015 at 3:10 PM, Johnny Hughes <johnny at centos.org> wrote: > >> CentOS is not approved for DOD use. In fact, CentOS is not now, nor has >> it ever been *certified* for anything. Certifications require people to >> PAY to certify a product. >> >> Specifically, EAL4 Certification, a requirement for the DOD, costs up to >> 2.5 million dollars .. see this link: >> >> http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_schedule >> >> That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and >> 7) .. so the cost to have all 6 previous major versions certified would be: >> >> 6 x $2.5 Million = $15 Million dollars. >> >> Since CentOS is given away for free ... I can't afford to pay 15 million >> dollars to have it EAL4 certified .. can anyone on this list? >> >> Certifications and security testing and assurance, along with a Service >> Level Agreement for fixing bugs is why people who require any of those >> things need to buy RHEL. > > Incidentally, someone has just started a thread related to DoD in the > RH community discussion session entitled, "A DoD version of RHEL - A > money maker for RH? Maybe!" : > > https://access.redhat.com/comment/913243 >There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but there were all sorts of issues with that. While I'm not in sales, I feel safe in speculating that RH's sales folks work rather hard to make sure the DOD as a whole stays happy. Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn't always fly in another even within a branch, let alone jumping between branches. TL;DR. Answer varies wildly on approval because the DOD is a GIANT organization with multiple levels of interwoven regulations, networks, and varied systems. Article is a bit dated, but I don't imagine the situation has improved since I stopped doing Defense consulting. http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-numbing-cyber-security-regs/ -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
On Tue, Apr 28, 2015 at 4:05 PM, Akemi Yagi <amyagi at gmail.com> wrote:> Incidentally, someone has just started a thread related to DoD in the > RH community discussion session entitled, "A DoD version of RHEL - A > money maker for RH? Maybe!" : > > https://access.redhat.com/comment/913243A new comment has been posted by a person who is "one of the ones who writes the STIGs for Red Hat, working out of Red Hat's U.S. Public Sector group": https://access.redhat.com/comment/913583#comment-913583 Akemi