SLUG Mailing List Archives
Re: [SLUG] Federal Gov Open Source Policy
- To: Kevin Saenz <kevsaenz@xxxxxxxxxxxxxxx>
- Subject: Re: [SLUG] Federal Gov Open Source Policy
- From: Glen Turner <gdt@xxxxxxxxx>
- Date: Wed, 09 Feb 2011 12:40:15 +1030
- Cc: slug <slug@xxxxxxxxxxx>
- Organization: http://www.gdt.id.au/~gdt/
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc13 Thunderbird/3.1.7
On 06/02/11 21:03, Kevin Saenz wrote:
That is a majority of the time they would need to be DSD approved and each open
> source project would need to pay a minimum of $50k to get DSD to qualify it.
> Without DSD approval open source will not get a look in when it comes to
networks that are rated Protected and higher.
The trick with compliance is to read the documents carefully, not to be overawed by the security
theatre of it all. That can be tricky when the customers are overawed too. DSD are as bound by the
policies are you are, so the policies cut both ways. The most relevant paragraph is this one:
Selecting products without security functions
Agencies selecting products that do not provide a security function,
or selecting products whose security functions will not be used,
are free to follow their own acquisition guidelines.
[Australian Government Information Security Manual, November 2010]
Note that this applies whatever the classification of the network the software is used on. So if you
want to bid particular software for use even on a Top Secret network then all you need only show is
that the software performs no security function. There can be some irony here, as you may note as
you disable HTTPS on the webserver :-)
If your bid does require a security function (eg, the experienced person writing the tender
specified HTTPS) then don't despair. You'll find some Linux distributors have done excellent work
acquiring NSA or NIST certification for basic security functions (PAM, OpenSSL, Mozilla NSS, etc)
BTW Red Hat Linux 5 is a standout. It even has MLS (ie, can use unclassified, restricted, protected
and confidential information on the same system without the all the information being tainted up to
confidential) evaluated to EAL4 (ie, the highest which can be obtained on generic hardware). The
implementation is much easier to use than some other "trusted" operating systems. Presumably Red Hat
intend to gain EAL4 for RHEL6.
It is even possible to build DSD-approved gateways to the Internet from Restricted or Protected
networks using open source components. For a long time in the history of the Internet in Australia
the only DSD-approved gateways were built from FOSS products.
In short, don't be afraid of information assurance requirements. Just read them carefully. Any FOSS
vendor should be able to sell a non-MLS desktop configuration into a Protected or Confidential
network with no great drama.
If you see a requirement for MLS or a "gateway security function" then these are specialised fields
and you might think carefully about if you have the internal expertise to respond. There are many
consultancies in the information assurance field that aren't interested in what you do best
(installation, configuration, support and so on) so you might look towards a partnership for those
more specialised tenders.
Glen Turner <http://www.gdt.id.au/~gdt/>