[Am-info] DoD Must Purchase Only NIAP Certified Products
John Poltorak
jp@eyup.org
Wed, 22 May 2002 16:57:49 +0100
On Wed, May 22, 2002 at 11:43:10AM -0400, Fred A. Miller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> DoD Must Purchase Only NIAP Certified Products
>
> Starting in July, the Defense Department will be required to purchase
> only the information assurance products that have been certified by
> the National Information Assurance Partnership (NIAP). NIAP, an NSA
> initiative, has certified about two dozen products so far.
> http://www.fcw.com/fcw/articles/2002/0513/web-niap-05-16-02.asp
> [Editor's (Ranum) Note: This is interesting. What about the installed
> base? What about enforcing this? What organizations will be able to
> get waivers? Excuse me if I am cynical but I remember "C2 by 92!" and
> the orange book. I bet this is going to accomplish nothing.]
I vaguely recall something about the DoD selecting NT because it satisfied
C2 security requirements, although it subsequently emerged that this was
only the case for a standalone system but did not satisfy the requirements
when connected to a network!
> - --
> Fred A. Miller
> Systems Administrator
> Cornell Univ. Press Services
> fm@cupserv.org, www.cupserv.org
--
John