With doubts lingering over the stability and security of the Linux operating
system, three tech heavyweights on Thursday announced plans to seek federal
certification for the fast-growing open-source OS.
The three firms — IBM Corp.
and Red Hat
IBM, which has banked
heavily on mainstream acceptance of Linux, said it would work with the
open-source community to enter the Common Criteria certification
process early this year. IBM’s plans include winning federal
certification for Linux at increasing security levels through 2003 and 2004.
Through its Linux Technology Center, IBM said it would invest heavily to
enable Linux for Common Criteria certification across its eServer platforms,
and will fund initial evaluations in 2003.
Common Criteria certification for Linux is seen as a crucial first stem
to win commercial approval for Linux among government clients. The U.S.
federal government CC approval for any IT product used in national security
IBM’s move comes on the same day Oracle and Red Hat announced plans to
submit the Red Hat Linux Advanced Server for a Common Criteria (ISO 15408)
evaluation at Evaluation Assurance Level (EAL) 2. Red Hat, which dominates
the market for Linux, said the move would enable security-conscious
customers in both the public and private sector to procure an evaluated
Linux platform and run
their enterprise software on a secure Linux operating system.
“In the future, Oracle and Red Hat intend to work toward achieving
higher-level security evaluations of the Linux operating system,” the
companies said in a joint statement.
By submitting Red Hat Linux Advanced Server for evaluation, the two
companies hope to dispel concerns among potential customers looking for a
reliable alternative to Microsoft’s
“Further, systems integrators and independent software vendors, and
independent hardware vendors will benefit from the evaluation by being able
to provide a competitive offering on the Linux platform to potential
customers who require evaluated products,” the companies said.
Once the CC scrutiny is complete, Oracle and Red Hat said the security
evaluation would be made available to the larger open-source community to
allow Linux providers to distribute an evaluated Linux operating system.
The long-term aim is to get Linux to comply with the U.S. government’s
security policy directive, NSTISSP (National Security Telecommunications and
Information Systems Security Policy) number 11, which requires independent
security evaluations for products used in national security systems.