leichter@harvard.harvard.edu (Jerry Leichter) (07/04/90)
John 'Fast-Eddie' McMahon says: I have gotten conflicting answers on this, so I'll ask again... My understanding is that VMS 4.3 was the version rated at C2, and that rating did not automatically carry over to later versions of VMS. Hence, if you are running 4.3 you have (potentially) a C2 system. But if you are running 4.4 through 5.4 you don't. Can someone explain how these ratings apply when a system is upgraded? Actually, there isn't any conflict here. A rating is given to a PARTICULAR implementation on PARTICULAR hardware. It is not applicable to any other versions of the system, or to any other hardware. The C2 rating for VMS applied only to VMS V4.3, since that was the only version actually submitted for the rating process. Further, it applied only to the hardware available at the time - NONE of which is sold by DEC any more! There are further restrictions. For example, there is to this day no standard for security of networked systems, much less any rating process for them (al- though there is plenty of work in this area, and I suppose my information on this could already be obsolete.) So a VMS V4.3 system, running on the appro- priate kind of hardware, would STILL not have a C2 rating if it were connected to a network - even a network of identical machines! Obviously, given the realities of hardware and software development, it is in everyone's interest to provide some way to retain a rating from one version of a system to another. The proposed technique - I'm not sure if it's been im- plemented yet - goes as follows: The vendor designates a small number of its employees (like 2!) as "rating specialists". They receive special training from the NCSC, and then have the job of certifying that changes made between versions do not affect those portions of the system that were significant in allowing the system to be rated at a particular level. If there HAVE been some changes, I think there's supposed to be an expedited review process of just the changes, rather than a re-rating effort for the system as a whole. Presumably a similar process applies as well to the same software running on new hardware. Given the long time that has elapsed and the number of changes that have been made to VMS in the interim, it's highly doubtful that anything of much use could be retained for a re-rating at this point. -- Jerry