Date: Mon, 13 Mar 2006 14:56:59 -0800 (PST) From: Peter Thoenen <eol1@yahoo.com> To: Thorsten Steentjes <tst@guug.de> Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products Message-ID: <20060313225659.40917.qmail@web51905.mail.yahoo.com> In-Reply-To: <20060313175458.GA79121@duke.tm.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Thorsten Steentjes <tst@guug.de> wrote: > Could you please explain what you mean with loophole in that context? Arg..going to make be track down obscure government regs are you ... been a couple years since I did IA work :) Unsure exactly which higher level US Department of Defense Instruction this loophole was originally derived from but US Army Regulation 25-2 Information Assurance, dated 03JUN14 Section II 4-6l states 'Use of “open source” software (for example, Red Hat Linux) is permitted when the source code is available for examination of malicious content, applicable configuration implementation guidance is available and implemented, a protection profile is in existence, or a risk and vulnerability assessment has been conducted with mitigation strategies implemented with DAA and CCB approval. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.' So infact what it is saying is open source software is exempt from the CSLA process provided the local Designated Approving Authority (read in corporate speak: Division President) approves it. Yes this has been debated at multiple high level theater conferences and yes this really is what it says (some anti-OSS IA guys felt it was still a bit vague and hence prohibited). It has been clarified to read exactly what it implies above. NOTE: Yes I used to be a US Army IA policy wonk years ago.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060313225659.40917.qmail>