Firewall Wizards mailing list archives

Re: Trusted Unices Aren't?

From: Rick Smith <rick_smith () securecomputing com>
Date: Fri, 30 Oct 1998 17:23:20 -0600

At 10:42 AM 10/29/98 -0500, Gordon Greene wrote:

It seems like as tough as it is to get the OS evaluated, you have to go
through at least as much to get a system that incorporates it through
accreditation.


Accreditation and evaluation may both be fruit, but they're apples and
oranges. Things pass evaluation and fail accreditation (Blacker was a
poster child for this at the A1 level) while other things never get
evaluated (or fail) and are still accredited for operation. The SMG was
never "really" evaluated though it jumped through many hoops marked "A1."

Accreditation is a risk assessment decision that is influenced by a variety
of operational and even political conditions. Accreditation in one command
or one application doesn't guarantee accreditation anywhere else.
Evaluation is a very stringent technical assessment that's supposed to be
objective. It's overseen by a single authority (the NCSC) and based on
published criteria.

Rick.
smith () securecomputing com

Current thread:

Re: Trusted Unices Aren't?, (continued)
- - Re: Trusted Unices Aren't? Gordon Greene (Nov 02)
- Re: Trusted Unices Aren't? Gordon Greene (Nov 02)
  - Re: Trusted Unices Aren't? dreamwvr (Nov 02)
- Re: Trusted Unices Aren't? dreamwvr (Nov 02)
  - Re: Trusted Unices Aren't? Paul D. Robertson (Nov 02)
    - Re: Trusted Unices Aren't? dreamwvr (Nov 02)
  - Re: Trusted Unices Aren't? Rick Smith (Nov 02)
- Re: Trusted Unices Aren't? Rick Smith (Nov 02)
- Re: Trusted Unices Aren't? Rick Smith (Nov 02)
- Re: Trusted Unices Aren't? Paul McNabb (Nov 02)
- Re: Trusted Unices Aren't? Rick Smith (Nov 02)