Re: [Fed-Talk] FIPS 140-2
Re: [Fed-Talk] FIPS 140-2
- Subject: Re: [Fed-Talk] FIPS 140-2
- From: Amanda Walker <email@hidden>
- Date: Tue, 8 May 2007 09:33:02 -0400
On May 7, 2007, at 4:53 PM, Wm.Cerniuk wrote:
I received the marching orders on this last friday in the presence
of the director of enterprise architecture who was impressed with
the operation of FileVault but... there is that OMB business...
Imagine if we lost a Mac and the news started hounding that while
it was encrypted it was not encrypted to government specification.
This was the same issue I ran into working on stuff for the Army--
regardless of the technical merits, AR 25-2 has no "or equivalent"
clause: "All ISs [information systems] will employ protection
mechanisms that satisfy criteria for basic, medium, or high levels of
robustness per DODI 8500.2 and Federal Information Processing
Standard (FIPS) 140–2." Many DAAs interpret this as "all systems
must employ a FIPS 140-2 validated solution." FileVault is a hard
sell until it's actually validated, since it requires the DAA to sign
off on an exception.
Amanda Walker
email@hidden
--
Producing a system from a specification is like walking on water--
it's easier if it's frozen.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden