locked
.Net and DoD/NSA acceptance RRS feed

  • Question

  • I don't know if this is the right place, but . . .

    This comes from the Windows 2003/XP/2000 Addendum V5R1 DISA Field Security Operations

    Dated 29 August 2005

    Developed by DISA for the DOD

    UNCLASSIFIED

    Page 34

    8.1.4 .NET Framework

    The Microsoft .NET Framework, also referred to as the Common Language Runtime (CLR), provides an operating environment similar to the Java Runtime Engine (JRE). Programs written and compiled to the .NET Platform may be run on any system with a CLR installed, regardless of the underlying OS.

    One of the principal goals of the .NET Platform is to provide a common operating environment for web-based applications. .NET mobile code is currently uncategorized. According to the DOD mobile code policy, uncategorized mobile code is not allowed to execute on any DOD system. The .NET Framework may only be used for locally executed applications, that are locally developed or DOD approved, or to support local applications and services that require it.

    The .NET Framework includes a complex security model that is currently being evaluated. It can be uninstalled from Windows 2000 and Windows XP, but is integrated into the Windows 2003 operating system.

    The underlining is mine.

    Does this mean I can't develop apps for sale to DoD and defense contractors using .Net??? or dependent on IIS6???

    Anyone have any information on this?

    I asked this question 6 months ago and got no response.

    Tuesday, May 9, 2006 6:08 AM

Answers

  • It took a while to track down, but here's the scoop from the team:

    Yes, .NET products/apps can be purchased by the DoD. DISA’s concern is with apps that are not local, essentially not trusted. It is fine to build and sell .NET apps into this environment as long as they are approved and locally installed by IT.

    -brenda (ISV Buddy Team)

    Tuesday, May 16, 2006 3:07 PM

All replies

  • It took a while to track down, but here's the scoop from the team:

    Yes, .NET products/apps can be purchased by the DoD. DISA’s concern is with apps that are not local, essentially not trusted. It is fine to build and sell .NET apps into this environment as long as they are approved and locally installed by IT.

    -brenda (ISV Buddy Team)

    Tuesday, May 16, 2006 3:07 PM
  • Thanks for the response.

    I am still waiting on the NSA Small Business Outreach Office to get back to me, but I suspect they will confirm, if they ever get back to me!

    So I understand this to mean that -

    As long as the executables are installed by their IT department and are running within their controlled environment, not accessing processes outside their control, there should be no problem.

    Any whitepapers/outlines that you know of?

    Something official to show my boss would be great. . .I don't want to program J2EE. . . though Java EE 5/EJB 3 is pretty cool :)

    Tuesday, May 16, 2006 10:46 PM
  • Hi,

    This is from the government vertical team:

    I’m not aware of [any official whitepapers]. I would also say that if .NET were restricted, the DOD/DISA would explicitly state it. There is a .NET STIG posted at http://iase.disa.mil/stigs/checklist/index.html which infers that .NET can be used in the DoD.

    -brenda (ISV Buddy Team)

    Friday, May 19, 2006 7:58 PM
  • Bingo!!!

    Thats exactly what I was looking for!!!

    Thanks for the research!

     

    Friday, May 19, 2006 8:26 PM