Re: [Fed-Talk] EAL3 v EAL4
Re: [Fed-Talk] EAL3 v EAL4
- Subject: Re: [Fed-Talk] EAL3 v EAL4
- From: Boyd Fletcher <email@hidden>
- Date: Wed, 31 Aug 2005 11:52:43 -0400
EAL4 with the Single-Level Operating Systems in Medium Robustness
Environments is the requirement.
I believe EAL4 with CAPP will be around for at least another 12-18 months.
Unfortunately it is getting very difficult in DOD to use operating systems
that are not EAL 4 with CAPP certified. We all know its a paper drill and
that the CC process as implemented in the US Government actually
significantly reduces our security posture, but until someone can convince
the government and congress to changes the rules we have to live by them.
BTW, RHEL 4.1 is going through EAL 4/CAPP right now. SUSE is is expected to
follow shortly afterwards. Like the EAL 4/CAPP for MacOS X (client and
server) is a big deal.
boyd
On 6/19/05 11:18 PM, "Shawn Geddis" <email@hidden> wrote:
> On Jun 18, 2005, at 10:27 AM, Ran Atkinson wrote:
>> Personally, I find the improved audit support to be very helpful.
>> I do wish Apple would look into EAL4 certification, simply because
>> other competitors have EAL4 already (or in some cases are actively
>> being evaluated under EAL4). Lack of EAL4 is going to be a risk
>> for Apple that EAL4 would be used to prevent Apple systems from
>> being procured under some RFP or deployed in some environments.
>> (That said, I'm very happy that they have EAL3 already. :-)
>
> Since EAL4 does not indicate that it is more secure than EAL3, what
> specific Security Functions are critical for Certification within
> your environments ?
>
> As is the case with any vendor, it is optimal to invest the effort
> and achieve certification for those things which help the customer
> the most. Just achieving EAL4 would be rather meaningless unless of
> course you care what functions (Protection Profile) are certified.
> Those of you who are familiar with CCC also know that CAPP is being
> replaced and will then no longer be available as a Protection Profile
> for evaluation.
>
> Please forward me any and all comments or environmental requirements
> for Common Criteria Certification for Mac OS X / Mac OS X Server
> going forward.
>
> -Shawn
> ___________________________________________
> Shawn Geddis
> Security Consulting Engineer
> Apple Computer - US Federal Government
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden