Department of Defense security levels

[David Kelly]

On Oct 6, 2004, at 9:53 AM, Jeremy C. Reed wrote:

> I have read some about Common Criteria Evaluation Assurance Levels, 
> Orange
> Book levels, Federal Aviation Administration DO-178B Level A and 
> others.

I've been out of it for 5 years but is my understanding the Orange Book 
was retired.

> I am looking for a quick reference and explanation of security levels 
> used
> for software in the United States. Any good pointers?

Only took a few moments with Google to find this:
http://www.dynamoo.com/orange/

> Also does any *BSD cover U.S. Department of Defense security levels? 
> Maybe
> SEBSD or TrustedBSD?

The old Orange Book level C3 included everything. With C3 all users and 
persons with physical access are required to have equal or greater 
clearance and need-to-know as the systems and the data they contain. If 
networked then all other systems on the network must be the same 
need-to-know, we called this "stand alone" as systems were physically 
segregated by project or task. No feature of the OS such as user name, 
password, or resource ownership is considered a "security feature" in 
this context. I have run FreeBSD in C3 environments.

> If no BSD, what about Linux? Where can I learn more about this?

I heard Once Upon A Time someone with deep pockets was pushing a Linux 
system thru the qualification process aiming for a C1 or B-level. For 
mere mortals and civilians it doesn't mean a darned thing as nobody but 
the DoD cares to put up with the hassle. If it passed using a Brand-X 
motherboard with 386DX33 then that too is what you must use.

Once Upon A Time Microsoft made big hay about Windows NT 3.5.1 being C2 
or C1. Not exactly true as only one specific configuration made that 
grade. Without NIC. Without floppy. Without CDROM. Without external 
reset button.

--
David Kelly N4HHE, dkelly at HiWAAY.net
========================================================================
Top-posters will not be shown the honor of a reply.