Crain, Kevin Mr CIV USA USAMC
2009-Jun-18 21:33 UTC
[Secure-testing-team] Debian CCEVS validation
Dear Sirs: I was wondering if there has been any effort to have Debian validated on the CCEVS validated products list (http://www.niap-ccevs.org/cc-scheme/vpl/). Without a CCEVS certification, Debian cannot be used on a certified network as a public facing server in the DoD. Currently there is not a non-commercially supported Linux distro on that list, but it sure would be nice to have Debian on there. -Kevin Crain
On Thu, 18 Jun 2009 14:33:13 -0700, Crain, Kevin wrote:> Dear Sirs: > > I was wondering if there has been any effort to have Debian validated on > the CCEVS validated products list > (http://www.niap-ccevs.org/cc-scheme/vpl/). Without a CCEVS > certification, Debian cannot be used on a certified network as a public > facing server in the DoD. Currently there is not a non-commercially > supported Linux distro on that list, but it sure would be nice to have > Debian on there.Hello, What does the certification process entail? Are there costs involved? As an all-volunteer organization, Debian does not have much money to spend. It seems that it would probably be better for interested parties within DoD will to push for this, rather than volunteers from Debian. Best regards, Mike
Hi Kevin, On Fri, June 19, 2009 17:32, Michael S. Gilbert wrote:> On Thu, 18 Jun 2009 14:33:13 -0700, Crain, Kevin wrote: > >> Dear Sirs: >> >> >> I was wondering if there has been any effort to have Debian validated >> on the CCEVS validated products list >> (http://www.niap-ccevs.org/cc-scheme/vpl/). Without a CCEVS >> certification, Debian cannot be used on a certified network as a public >> facing server in the DoD. Currently there is not a non-commercially >> supported Linux distro on that list, but it sure would be nice to have >> Debian on there.> What does the certification process entail? Are there costs involved? > As an all-volunteer organization, Debian does not have much money to > spend. It seems that it would probably be better for interested parties > within DoD will to push for this, rather than volunteers from Debian.According to this web page: http://www.niap-ccevs.org/cc-scheme/getting-product-evaluated.cfm a product can be evaluated when a sponsor is able and willing to take a product through this process. This means that an organisation that wants to use Debian and needs this certification can pull Debian through the process. If there are costs involved I believe the sponsor will need to supply them. That means that if your organisation wants to use Debian, perhaps you can get them to certify it. Of course Debian itself is willing to supply needed documentation or explanations, but the initiative would normally not come from us. cheers, Thijs