FAQ: Is Solaris 11 "approved for use" in the US DoD?

Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.

  • Is Oracle XYZ server or operating system on the DISA approved products list?

MYTH

There is a single organization in the Government/DoD that approves products for use.

REALITY

Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category.  This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."

Each customer or funded program goes through its own approval and accreditation process.  There is no single approver.  A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of  the entire program.  This includes reviewing the policies, people, products and procedures (4P) that are put in place.  This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does.  This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing.  An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.

I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD. 

Why you should care.

Many government contractors or employees believe that they can't use a product unless it's on some approved list.  In most cases products can be used if sufficient rigor is  applied and the DAA can be convinced that the system is secure.  Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today