"I have stood here before inside the pouring rain
With the world turning circles running 'round my brain
I guess I'm always hoping that you'll end this reign
But it's my destiny to be the king of pain"
-- The Police
The DoD may well have leveled the playing field, but that parity has now significantly raised the barrier to entry for open source projects. (Even though Free and Open Source Software (FOSS) has been used pervasively for years, its "verboten" status prevented it from coming under the same governance processes as Commercial Off-The-Shelf (COTS) software. Now that it's out from under the table, it can be officially scrutinized by all the various policies and regulations that dictate how software acquisition and development is done.)
Under NSTISSP 11's new rules, for example, any software that provides or includes Information Assurance (IA) features - such as user accounts and passwords - is required to be NIAP certified.
NIAP certification was never intended to be an absolute doctrine. The assessment program, particularly at the lower assurances level, rates the likelihood an IA solution is secure, without providing assurances that it is. Although there is active security testing - do access controls work, for instance - there are no code reviews. Certification is largely design and methodology reviews, and heavy documentation requirements.
Oh, and a lot of money.
Very few open source projects have the design documentation or the methodologies necessary to obtain NIAP certification. Fewer still have the bucks to walk their code through accredidation.
But that's okay, because more and more FOSS is being bundled with operating systems, and operating systems, being IA-enabled, are required to be NIAP certified. So FOSS gets the certification for free, right?
Certification is against the software load as tested. Modifications to the IA-enabled components invalidates the certification.
That's right. A patch provided by, say, Sun, to fix a known exploit in its authentication code cannot be installed until the patched system has gone through certification, a process that takes months, and can cost upwards of six figures. (Luckily, this conflicts with DCID 6/3, which trumps it.)
Obviously, no vendor does that. Most don't even recertify the major revisions of their code. The last Solaris NIAP certified before Solaris 8 02/02 (which was approved in April of this year) was Solaris 8 FCS, with two patches, and AdminSuite (and its requirements, such as CDE, installed).
Now think how often FOSS is patched.
Separation of the components away from the composite system may also invalidate the certification. So while Apache may be NIAP certified under the web server protection profile as part of Solaris, your build of the same version of Apache may not be.
So let's ask Pudge. The government is now permitted to use
slash on its information processing systems. All you have to do is shell out a hundred thou' or so to have it (and MySQL, and maybe Perl) evaluated. Do you think that levels the playing field?
perl -e 'print scalar reverse "NIAP"'