morgan@ms.uky.edu (Wes Morgan) (07/04/90)
>My understanding is that VMS 4.3 was the version rated at C2, and that >rating did not automatically carry over to later versions of VMS. >Hence, if you are running 4.3 you have (potentially) a C2 system. But >if you are running 4.4 through 5.4 you don't. > >Can someone explain how these ratings apply when a system is upgraded ? The NCSC has a program known as RAMP <Rating Maintenance Program>. Should a vendor be willing to incur some additional costs, NCSC will verify future versions of the system in order to maintain compliance. Keep in mind that NCSC verification teams are usually assigned according to their experience; as a matter of fact, the Orange Book dictates that they will have "assembly language ability or the equivalent" on the machine being evaluated. Since NCSC also requires "internals programming ability on the level of writing a device driver" for verification team members <in some circumstances>, it seems to me that the same people are committed to evaluating a given system throughout its lifetime. Given that, RAMP is probably an expensive propo- sition for a vendor. Another consideration would be this: do the later versions of VMS contain "features" that are not allowable under C2 certification? I'm not familiar with VMS, so perhaps someone else could comment on this. - -- | Wes Morgan, not speaking for | {any major site}!ukma!ukecc!morgan | | the University of Kentucky's | morgan@engr.uky.edu | | Engineering Computing Center | morgan%engr.uky.edu@UKCC.BITNET | Lint is the compiler's only means of dampening the programmer's ego.