FAQ: Is Solaris 11 "approved for use" in the US DoD?
By user12611852 on Apr 15, 2013
Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.
- Is Oracle XYZ server or operating system on the DISA approved products list?
There is a single organization in the Government/DoD that approves products for use.
Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category. This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."
Each customer or funded program goes through its own approval and accreditation process. There is no single approver. A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of the entire program. This includes reviewing the policies, people, products and procedures (4P) that are put in place. This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does. This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing. An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.
I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD.Why you should care.
Many government contractors or employees believe that they can't use a product unless it's on some approved list. In most cases products can be used if sufficient rigor is applied and the DAA can be convinced that the system is secure. Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.