IBM, Oracle Looking to Get Federal Certification for Linux

IT managers at government agencies welcomed moves by IBM and Oracle Corp. to seek a federal stamp of approval of the companies' respective applications running on Linux.

IT managers at government agencies welcomed moves by IBM and Oracle Corp. to seek a federal stamp of approval of the companies respective applications running on Linux.

The Common Criteria is an independently tested set of standards used by organizations—the federal government included—to evaluate the security and assurance levels of technology products. For Linux, securing the Common Criteria certification means that government users have the proof required to show that the Linux software they are using is secure.

IBM earlier this month said it will work with the Linux community to enter the Common Criteria certification process for the Linux operating system early this year and will proceed to certify Linux at increasing security levels through next year. The Armonk, N.Y., company will also accelerate certification of its servers and middleware, including the DB2 database, WebSphere application server, Lotus collaboration software and Tivoli management software.

Separately, Oracle, of Redwood Shores, Calif., earlier this month said it will submit Red Hat Inc.s Linux Advanced Server for a Common Criteria evaluation at Evaluation Assurance Level 2. Once that is completed, which is expected to happen this year, the next step is to evaluate the Oracle9i Release 2 database on top of the evaluated Linux. That is expected to take a few months.

Further reading

COMMON CRITERIA FUNCTIONAL PREREQS

Areas evaluated for certification:
  • Audit
  • Cryptographic support
  • Communications
  • User data protection
  • Identification and authentication
  • Security management
  • Privacy
  • Protection of the TOE security functions
  • Resource utilization
  • TCP Offload Engine access
  • Trusted path/channels
As of July 1, federal military agencies wont be allowed to purchase software that isnt evaluated under a national security testing initiative. The procurement program came into play in July 2002, but a one-year grace period was instituted.

"[The government] is very serious about making this a success," said Tony Stanco, associate director of Open Source and eGovernment at George Washington Universitys Cyber Security Policy and Research Institute, in Washington. "It took companies a long time to understand how serious they were."

"A lot of agencies arent allowed to use software unless its certified," said Jim Willis, director of e-government for the Rhode Island Department of State, in Providence, and a user of myriad open-source technologies, including Red Hat Linux. "The problem with open source is, whos going to pay to have it certified? Which open-source vendors are going to step up to the plate to foot the bill? It looks like Oracle stepped up to the plate."