Department of Defense security levels
dkelly at HiWAAY.net
Wed Oct 6 12:53:05 PDT 2004
On Oct 6, 2004, at 9:53 AM, Jeremy C. Reed wrote:
> I have read some about Common Criteria Evaluation Assurance Levels,
> Book levels, Federal Aviation Administration DO-178B Level A and
I've been out of it for 5 years but is my understanding the Orange Book
> I am looking for a quick reference and explanation of security levels
> for software in the United States. Any good pointers?
Only took a few moments with Google to find this:
> Also does any *BSD cover U.S. Department of Defense security levels?
> SEBSD or TrustedBSD?
The old Orange Book level C3 included everything. With C3 all users and
persons with physical access are required to have equal or greater
clearance and need-to-know as the systems and the data they contain. If
networked then all other systems on the network must be the same
need-to-know, we called this "stand alone" as systems were physically
segregated by project or task. No feature of the OS such as user name,
password, or resource ownership is considered a "security feature" in
this context. I have run FreeBSD in C3 environments.
> If no BSD, what about Linux? Where can I learn more about this?
I heard Once Upon A Time someone with deep pockets was pushing a Linux
system thru the qualification process aiming for a C1 or B-level. For
mere mortals and civilians it doesn't mean a darned thing as nobody but
the DoD cares to put up with the hassle. If it passed using a Brand-X
motherboard with 386DX33 then that too is what you must use.
Once Upon A Time Microsoft made big hay about Windows NT 3.5.1 being C2
or C1. Not exactly true as only one specific configuration made that
grade. Without NIC. Without floppy. Without CDROM. Without external
David Kelly N4HHE, dkelly at HiWAAY.net
Top-posters will not be shown the honor of a reply.
More information about the freebsd-chat