Certificate Of Networthiness (US Army / NETCOM)

[Frank Hale]

This question is in reference to US Army networks and Certificates of Networthiness granted by NETCOM.

Let's say I have a CoN for an application that is for version 2.0. The CoN paperwork is specifically marked and granted for this version number. Will a CoN permit point releases to be substituted? For example, version 2.1, 2.2, 2.3, etc..? The document does not specifically mention point releases but does mention allowing patches and updates that appear to be provided from internal agencies. It seems highly unlikely [to me] that an internal agency would be updating the software which is an open source program. Or, will another CoN need to be granted for this?

If worse comes to worse I guess I can go straight to NETCOM and ask.

**Sorry, I cannot elaborate more because the CoN requires a CAC to download and is behind AKO.**

[Kit Plummer]

It's my understanding that point releases must be "re-CON'd". Minor
version releases *.*.# are legit within the *.*. that was certified.

Kit

> --
> --
> You received this message because you are subscribed to the "Military
> Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to
> mil-oss+u...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Military Open Source Software" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to mil-oss+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Frank Hale]

Oops I used the wrong terminology. I was meaning minor updates.

Sent from my iPhone

[Kit Plummer]

Actually, I think I got wrong...but I'm not positive on the accepted
convention. The general norm is something like:

major.minor.revision

So major.minor upticks must be re-certified. Revision updates are cool.
The bad thing is that lost of systems are getting CoN'd then just
revision updating out the wazoo.

[John Scott III]

in case anyone missed Dan excellent blog about these issues:
http://risacher.org/blog/2013/02/system-vs-application-when-is-ca-required-in-dod/

-----------------------------------------------------------
John Scott
240.401.6574
< jms...@gmail.com >
http://powdermonkey.blogs.com
@johnmscott

[Frank Hale]

I just word from my PM that x.1, x.2, x.3, etc.. releases are covered under a CoN that is released for the x.0 release. So no new CoN for those minor updates. This is good news!

[Chaim Krause]

You can ask for a CoN at any level and it may or may not be approved. It is a crap shoot.

For example, you can request a CoN for version 2.x and it might go through. If you ask for version 2.0, though, you will be stuck with only 0.0.x revisions being auto-approved. If you are OCD, you can submit a CoN for version 2.3.1 and be stuck with submitting a new CoN for version 2.3.2.

This is based on my experience with both submitted CoNs and CoN that we use that others have submitted.

And, I can't mention CoNs by saying that they are stupid and worthless from a system administrator or security viewpoint. They are strictly for political/CYA reasons. To include that ***you do not need a CoN to use software***. Ultimately the DAA has say in what can/cannot be installed. All CoNs do is signify that the covered software has been vetted by some authority and has found it viable.

In truth, all that is done is a bunch of paperwork. If I was a DAA or sysadmin, I would ignore CoNs. Having a CoN tells me absolutely zero about how stable or safe the software is on my (or any) network. I would do my own tests. Additionally, I would do my own test for *any* software going on my network. So, that also means that I wouldn't care if software didn't have a CoN, since I would use my own tests to determine if it is safe on my network.

However, if you have somebody in charge that follows the CYA montra, they will want a CoN. I suggest you do the minimum amount of work to get the broadest CoN you can get through the system.

[Jennings, Jared L CTR USAF AFMC 96 SK/CCI]

Chaim, I could argue that by only trusting your own analysis, you would be duplicating work, and you would be the one wasting taxpayer money, not the CoNers. Do you see a way to avoid that?

[Chaim Krause]

Yes, have the CoN people do more than just paperwork.

They do not look at source code.

They do not run vulnerability testing.

They do not do a threat assessment of the software developer(s).

They do not even ask for a copy of the software.

They never even install it.

They don't use it.

They do absolutely nothing except look at some form you fill out. Then, in reality, they ask you a bunch of questions that shows you that they have no clue what they are looking at and reply with answers that are not based on reality or best practices, or any security plan.

So, IF they did more than push paper so some people can CYA, then, sure, I'd might take what they do and give it some thought.

This is based on over a dozen CoNs.

[Ben Francis]

Clearly the CoN process needs to be thrown out, as there doesn't seem to be any baby in that bathwater.

The CoN auditor's job is so hard. (How can she possibly CoN software for which you don't have the source code?) She could make it easier by using the many eyes of the open source process to make vulnerabilities small. Demand the source code or don't give the CoN. It's not enough to say "Smart people work at Microsoft, therefore Internet Explorer is safe".

It used to be said that nobody ever got fired for buying IBM. The same ought to be applied to Linux, and conversely, people ought to be fired for CoNing Windows, given Microsoft's security track record.

[Jim Kinney]

A phrase a colleague used during a proposal presentation for CDC was "Fully Auditable Code". It made enough send to the pencil pushers at the time that I saw that phrase appear on later RFPs.

James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://electjimkinney.org
http://heretothereideas.blogspot.com/

[Chaim Krause]

@Frank Hale,

I have just heard through the rotting grape vine that CoNs and now good for Three years (vice two) and for Major versions only. IOW 1.x, or 2.x, or 3.x., All minor, micro, release, build, etc are covered under the #.x CoN.

--

[Will LaForest]

Chaim,

I really appreciate you perspective on this topic.  Frank and I were discussing the CoN for MongoDB which was done for 2.0 and I was trying to figure out if it could be used for 2.2.  I literally have gotten different answers from about 6 different people.  Isn't there a memo somewhere that codifies the answer?  It seems like its completely discretionary.  If what you heard through the grape vine is true I would be pretty happy but I'm not sure I can convince the SO in question since he claims the opposite.

--

{ name     : "Will  LaForest", 

  title    : "Senior Director of 10gen Federal",

  phone    : "202.656.7651",

  location : "Washington, DC",

  twitter  : ["@WLaForest", "@10gen"],

  linkedin : "Will LaForest" }

[Chaim Krause]

@Will LaForest,

This should help you out:

Classification: UNCLASSIFIED
Caveats: NONE

I would like to thank all those who took the time to take our survey on the
submission process and invite everyone to join me in a discussion on the
topic April 4th at 07:00 Arizona time on the alternate DCO site.

I would also like to announce that we have changed our policy on application
CoN expiration dates.  All application CoNs that previously expired after
two years are now valid for three years and future application CoNs will be
for three years.  The other change to go with this is that CoNs are now
valid for the Major version number and will be approved using the 1.x
format.  This does away with the requirement for a new CoN when going from
1.1 to 1.2.

I would like to invite input on our external SOP which has been posted on
our SharePoint Home page.  I need to have comments back by 12 April 2013.
Please use the comment form located on the same page.

https://west.esps.disa.mil/netcom/sites/nw/CoNApproval/Lists/Networthiness%2
0Data

Upcoming Networthiness events

2 April Draft External SOP posted for comments.  Comments due 12 April 2013
4 April 07:00 AZ/Pacific time(10:00 Eastern time/16:00 Germany/23:00 Korea)
Networthiness Submission Concepts
DCO(https://connectcol.dco.dod.mil/nwsubmissionconcecpts)  This will be on
the alternate DCO site of www2.dco.dod.mil
5 April Networthiness submission portal tutorial will be posted
9,10 April Networthiness Quarterly Update.
17 April Networthiness External SOP Discussion(DCO)
1 May Anticipated publishing of External SOP


v/r

Darrell C Chugg
LTC, FA24(Network Engineer)
Networthiness Director
ACofs G-6, NETCOM
Darrel...@us.army.mil
Office:(520)533-0126(DSN: 879)
BB:(520)226-1076
https://west.esps.disa.mil/netcom/sites/nw/CoNApproval/Lists/Networthiness%2
0Data
If prompted for a certificate, use your email cert.
https://www.us.army.mil/suite/page/137030
Updated from SharePoint daily

Classification: UNCLASSIFIED
Caveats: NONE