Open Source down falls when dealing with the US Government

Fri 15 August 2008

I don't hide the fact that I am a contractor to a few US Government organizations and deal specifically with security issues. As such, I'm asked if I'm seeing any open source or Linux items in my daily work. Unfortunately the answer is always "not as much as I'd like to see". I know that a Linux system can be hardened faster and easier (and cheaper) than that other brand of OS. I know that doing compliance testing takes half as long on Linux (and Solaris) than that other brand as well. This all equals to a larger cost savings to the customer (the gov't) and to the American public. So why isn't there more open source solutions out there being used? Two words: "testing" and "certifications".

I'll use LUKS as a good example. LUKS provides "Data at Rest (DAR) Encryption" for computer hard drives and removable media. By default, in Fedora, it uses AES encryption and protects all data on the hard drive from being copied or altered on a system that is powered down. Simple, easy to install, free, and meets the basic requirements for DAR Encryption. Why isn't this an approved solution, then? Because LUKS doesn't meet FIPS 140-2 requirements. Well, I won't say that it doesn't meet the requirements because it probably does but it has never been certified as such. And to do so is usually takes at least $100k+ and a few months of government testing. Now if you are developing open source software you probably don't have the money to fund such testing.

There are a few notable exceptions. SELinux was a joint project between the community and the NSA. That worked out well for all involved.

I'd like to see the bar lowered for software to become accepted as solutions instead of being discarded because they don't have a large amount of funding.

By Sparks, Category: Information Security

Tags: LUKS / Data at Rest /