IBM and Oracle have launched efforts to get the Linux
operating system a security certification required by the US
Department of Defense, so Linux suppliers are not cut off from the
huge security IT market.
The Defense Department requires commercial software used in
national security-related functions be certified in the Common
Criteria or an alternative certification from the National
Institute of Standards and Technology.
Microsoft and Sun Microsystems operating systems have Common
Criteria certifications at the fourth level of assurance, but Linux
does not, which would put it at a competitive disadvantage for
Defense Department IT bids, said Tony Stanco, associate director of
the Cyber Security Policy & Research Institute.
The institute is working on putting together a coalition to push
for a Linux Common Criteria certification, the first step a level
two certification. The level of certification will be how companies
are going to prove they have secure software, Sanco added.
The goal of the coalition is to "make sure the Linux community
is not denied a place at the table", Stanco said. The fear is that
without the certification, Linux suppliers will not only be shut
out of the $27.7bn (£17.6bn) Defense Department IT budget, but also
from other government agencies that might follow the Defense
Department's lead.
Linux, an open source operating system that is distributed by
several suppliers and independent groups, faces certification
challenges that proprietary suppliers do not, Stanco added.
The Common Criteria certifies to one code base, and Stanco's
institute is attempting to get several suppliers on board with a
certification push for a "generic" Linux server that
Linux suppliers and companies like IBM and Oracle could use.
Stanco welcomed the efforts by IBM and Oracle for moving Linux
certification in the right direction.