Re: [Fed-Talk] Re: Seagate FDE Drives
Re: [Fed-Talk] Re: Seagate FDE Drives
- Subject: Re: [Fed-Talk] Re: Seagate FDE Drives
- From: Amanda Walker <email@hidden>
- Date: Wed, 17 Dec 2008 21:21:15 -0500
On Dec 17, 2008, at 7:57 PM, Shawn A. Geddis wrote:
/* personal comments - not those of Apple Inc. */
I am just raising questions as to whether the requirements you are
under are truly in the best interest of your agency and our
government. Choosing between two products because one has already
been granted validation and the other has not, can encourage folks
to overlook the better and more appropriate products simply because
of a "Check-box". Is that what our Federal Government IT Security
thinking has come to ? I'll take an NSA letter of Qualification
over FIPS any day!
/* personal comments - not those of Apple Inc. */
I've been involved with systems on both sides of this (i.e., both FIPS
140-1&2 and DITSCAP (escaped before DIACAP :-))), and there are
advantages and disadvantages to both. Endorsement of FIPS 140-2
within the government was actually meant to *speed up* the process and
allow procurement of COTS products, because DITSCAP took years, money,
and politics (among other reasons, because the NSA staff that do this
can't keep up with the demand for it, especially once we got back into
hot wars--everything else has to wait in line behind tactical comm
systems). Unfortunately, the FIPS 140 pipeline got clogged for the
same reasons that the DITSCAP pipeline did. I do find it a little
ironic that Seagate was able to get an NSA qualification letter more
quickly than FIPS certification, but while I have no inside knowledge,
I suspect they worked in advance with NSA (or ex-NSA consultants, of
which there are a few) to tailor the Momentus drives so that they
could be qualified shortly after going into production.
That said, local IT staff at each agency and location have the
ultimate say over what can and cannot operate in their area of
responsibility. Some of them have their checklists and don't want to
hear about anything except their "standard" Windows configuration.
Some of them decide that anything with a CPU needs to run anti-virus
software (I once had to explain why I didn't think that was necessary
in a Linux-based software defined radio for telemetry, for example).
Their threat model is basically "nobody ever got fired for going by
the book--regulation X is the book." Others view their mission as
helping people get their job done, and take a more nuanced approach
about what's applicable to any given situation.
Allan's right in that there are indeed plenty of people who have to
select only FIPS 140-2 certified equipment, are not in a position to
get a waiver, and for whom Seagate's NSA qualification letter is
irrelevant. But you're right as well--there are others whose IT
organization (and their DAAs) are quite willing to accept it for their
area of responsibility, like having Macs around because they create
fewer headaches, etc. For every mandate from on high, there's a
forest of exceptions and waivers for particular situations :-).
Amanda Walker
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden