DSD Approved Products

[Peter Thoenen]

--- Thorsten Steentjes <tst at guug.de> wrote:
> Could you please explain what you mean with loophole in that context?

Arg..going to make be track down obscure government regs are you ...
been a couple years since I did IA work :)

Unsure exactly which higher level US Department of Defense Instruction
this loophole was originally derived from but US Army Regulation 25-2
Information Assurance, dated 03JUN14 Section II 4-6l states 

'Use of “open source” software (for example, Red Hat Linux) is
permitted when the source code is available for examination of
malicious content, applicable configuration implementation guidance is
available and implemented, a protection profile is in existence, or a
risk and vulnerability assessment has been conducted with mitigation
strategies
implemented with DAA and CCB approval. Notify NETCOM RCIOs and the
supporting RCERT/TNOSC of local software use approval.'

So infact what it is saying is open source software is exempt from the
CSLA process provided the local Designated Approving Authority (read in
corporate speak: Division President) approves it.  Yes this has been
debated at multiple high level theater conferences and yes this really
is what it says (some anti-OSS IA guys felt it was still a bit vague
and hence prohibited).  It has been clarified to read exactly what it
implies above.

NOTE: Yes I used to be a US Army IA policy wonk years ago.