On Thu, May 22, 2014 at 6:00 PM, Shawn Wells <[email protected]> wrote: > > On 5/22/14, 5:35 PM, Andrew Gilmore wrote: >> >> SSG is not just for DoD, I sure hope! >> >> I'm sure there are many CentOS deployments in .gov, I believe there are >> several just in my agency alone. Do we really want to not support them, or >> force them into manual edits to get scans to work? > > > Very correct -- there's broad content supporting a wide range of needs; > ranging from commercial (the C2S profile) to classified (e.g. STIG and CS2). > > Lacking Common Criteria and FIPS certification, CentOS is not consumable by > the U.S. Government per the National Security Telecommunications and > Information Systems Security Policy (NSTISSP) #11, now known as the > Committee on National Security Systems (CNSS). <snip...>
In my small world, governed by similar documents with a bunch of numbers and even more acronyms, *all* of this is is ultimately decided by a person, the Designated Approving Authority (DAA). Not a document. The DAA can decide to "consume" whatever products they want to meet the mission need. Thus, CentOS, Scientific Linux, Gentoo, LFS, are all quite consumable by certain parts of the U.S. Government :) Unsurprisingly, and ironically, another policy document states that the DAA has this authority. Thanks, --Spencer _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
