[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 167
[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 167
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 167
- From: Ran Atkinson <email@hidden>
- Date: Wed, 31 Aug 2005 20:36:07 -0400
On 31 Aug 2005, at 15:04, email@hidden wrote:
Date: Wed, 31 Aug 2005 13:24:18 -0500
From: "Timothy J. Miller"
Subject: Re: [Fed-Talk] EAL3 v EAL4
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset="iso-8859-1"
Boyd Fletcher wrote:
EAL4 with the Single-Level Operating Systems in Medium Robustness
Environments is the requirement.
I believe EAL4 with CAPP will be around for at least another 12-18
months.
Unfortunately it is getting very difficult in DOD to use operating
systems
that are not EAL 4 with CAPP certified. We all know its a paper
drill and
that the CC process as implemented in the US Government actually
significantly reduces our security posture, but until someone can
convince
the government and congress to changes the rules we have to live
by them.
Hear, hear. CAPP is completely inappropriate for any system on a
network, no matter what classification. SLOSPP-MR is a better
profile.
-- Tim
I won't argue that CAPP is better than SLOSPP-MR in
technical terms, but I will say that Apple would be better
off with EAL4/CAPP than EAL3/CAPP. Most end user sites
seem to obsess on the EAL number and ignore which
Protection Profile was used. This might be silly,
but it seems to be the marketplace reality for now.
I don't really know what the extra development work
(e.g. additional capabilities) would be to get MacOS X
from where it is to EAL4/SLOSPP-MR. It does seem that
getting MacOS X from where it is to EAL4/CAPP would just
be a matter of more paperwork and some evaluation budget.
There is a business decision here. During the late 80s
and early 90s, I watched several UNIX vendors spend millions
building B1/CMW systems and getting those approved. However,
at the end, the DoD and IC, even the paranoid parts, bought
relatively few B1/CMW systems. (The biggest public contract
with CMWs was probably Navy's TAC-4 and virtually all TAC-4
systems were shipped with standard commercial unevaluated HPUX.)
Several vendors lost money on that CMW bet. So, I am very
reluctant to tell any vendor that they need to spend big money
to meet some gee whiz Protection Profile rather than targeting
the mundane CAPP -- until I can see a broader market demanding
that they do so (maybe others are seeing that broader market;
today I am not able to locate it).
I am seeing people use "EAL4" alone (and generally ignoring
the whole ToE/Protection Profile aspect) as the metric to exclude
Apple and select another vendor's OS. Most IT buyers do not
understand the ISO CC system and how assurance/protection-profiles
relate and are different from each other. Until more IT buyer
and IT user education happens (and that's a government responsibility)
then it is unclear to me how much value ISO CC really is adding
to the deployed world.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden