CentOS Not DoD Approved

Home » CentOS » CentOS Not DoD Approved
CentOS 10 Comments

nowhere does it say that CentOS is approved for use in DoD. it is not on the APL, only RedHat and SuSE

10 thoughts on - CentOS Not DoD Approved

  • DoD approval requires spending lots of money jumping through arbitrary hoops. Do you wish to pay for this?

    skimming the requirements, it also requires extensive documentation of said ‘Product’. Do you wish to write this?

  • There’s also no place that states that CentOS is a flotation device to be used in the event of a water landing. Your point?

    Do you think it should be? (I mean DoD approval. I’m ambivalent about using CentOS as a life preserver.)

  • CentOS is not approved for DOD use. In fact, CentOS is not now, nor has it ever been *certified* for anything. Certifications require people to PAY to certify a product.

    Specifically, EAL4 Certification, a requirement for the DOD, costs up to
    2.5 million dollars .. see this link:

    http://en.wikipedia.org/wiki/Evaluation_Assurance_Level#Impact_on_cost_and_schedule

    That cost would be for each main version of CentOS (2.1, 3, 4, 5, 6, and
    7) .. so the cost to have all 6 previous major versions certified would be:

    6 x $2.5 Million = $15 Million dollars.

    Since CentOS is given away for free … I can’t afford to pay 15 million dollars to have it EAL4 certified .. can anyone on this list?

    Certifications and security testing and assurance, along with a Service Level Agreement for fixing bugs is why people who require any of those things need to buy RHEL.

    Thanks, Johnny Hughes

  • Nowhere is a very large place, and I can say that is incorrect.

    If you would like assistance in approving CentOS for “your” use please provide more details.

    If you cannot provide details on this list, please send me an signed (and encrypted if needed) mail from your official email address.

    CentOS is in very wide use at DoD.

    v/r,

    Jason Pyeron

  • There have been similar requests in the past. At one point someone on forge.mil was working on a rebuild which met STIG requirements, but there were all sorts of issues with that. While I’m not in sales, I feel safe in speculating that RH’s sales folks work rather hard to make sure the DOD as a whole stays happy.

    Jason and Johnny are both right, because the DOD is a rather large entity with a stupidly complex array of regulations. What works in one command doesn’t always fly in another even within a branch, let alone jumping between branches.

    TL;DR. Answer varies wildly on approval because the DOD is a GIANT
    organization with multiple levels of interwoven regulations, networks, and varied systems.

    Article is a bit dated, but I don’t imagine the situation has improved since I stopped doing Defense consulting.

    http://www.wired.com/2010/10/read-em-all-pentagons-193-mind-numbing-cyber-security-regs/

  • There have already been high level conversation between DISA JIE and RH CTO with regards to that. The short story RH is built to the greater good of their customers. DoD will have to continue to apply their configuration updates per STIG.

    A good topic for another thread, we do that in our office.

    There is a reciprocity between DAAs for ATOs. If any DAA has approved A then any other DAA can say ok because the other DAA said ok.

    It is at these lower levels where resistance is encountered.

    E.g. we do not use X because Y.

    mbing-cyber-security-regs/

    The securing of RH is the same as securing CentOS, but I strongly suggest purchasing RH when used in a all MAC I/II (https://en.wikipedia.org/wiki/Mission_assurance) systems and for all production systems.

    The CJCS put out a memo to treat all OSS as COTS, but the responsibility is still on the systems’ CONOPS to address (self) support of the OSS. This is why you should purchase RH, for the support.

    -Jason