[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[netCDF #IPK-827602]: support for FISMA in netcdf-c



Hi Ed,

We've talked about it, and adding a flag to turn off network functionality
to be effectively fisma compliant (insofar as turning off all the
networking functionality goes) is pretty easy, and I think we can work that
in for the next release.  A convenience flag, really, and we'll document it
as such.  We probably won't reference FISMA directly, since we don't want
to inadvertently assume any responsibility for compliance with this or any
other federal law; the situation that leaps to mind is an introduction of
new networking functionality that doesn't get added to the flag
immediately, or perhaps a modification to the law that changes what
compliance looks like, and we don't catch that.  In any event, the end
result will be the same.

Thanks, I'll open an issue for us to put a PR out against!

-Ward

address@hidden> wrote:

> New Ticket: support for FISMA in netcdf-c
>
> Guys,
>
> There's a thing called FISMA - from wikipedia:
>
> Federal Information Security Management Act of 2002 is a United States
> federal law enacted in 2002 as Title III of the E-Government Act of 2002.
> The act recognized the importance of information security to the economic
> and national security interests of the United States.
>
> What this means in practice is that some HPC systems don't want any code
> that can reach out across the network and talk to other systems. They would
> just prefer to build packages like netcdf-c without this capability. For
> this reason, we are modifying the spack recipe for netcdf-c to have a fisma
> option, which will build with --disable-dap --disable-nczarr
> --disable-byterange.
>
> (Sorry Dennis, they don't want your excellent and fun features on their
> supercomputers! But aside from security issues, they would not work well
> anyway. If 10K processors all opened a file over opendap at the same time,
> the network would be overwhelmed and all 10K processers would grind to a
> halt and just burn money.)
>
> What I suggest is that we add an option --enable-fisma, off by default,
> which will disable all code that violates this fisma rule, and that will
> make it easy for federal labs to use this netcdf. If you guys then add even
> more remote options to netCDF, just ensure they have a disable option, and
> that option is selected by --enable-fisma.
>
> I will suggest the same to the HDF5 team...
>
> Thanks,|
> Ed
>
>
>
> Ticket Details
> ===================
> Ticket ID: IPK-827602
> Department: Support netCDF
> Priority: Normal
> Status: Open
> Link:
> https://andy.unidata.ucar.edu/staff/index.php?_m=tickets&_a=viewticket&ticketid=33955===================
> NOTE: All email exchanges with Unidata User Support are recorded in the
> Unidata inquiry tracking system and then made publicly available through
> the web.  If you do not want to have your interactions made available in
> this way, you must let us know in each email you send to us.
>
>



Ticket Details
===================
Ticket ID: IPK-827602
Department: Support netCDF
Priority: Normal
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.