[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[netCDF #IPK-827602]: support for FISMA in netcdf-c

Please see if PR https://github.com/Unidata/netcdf-c/pull/2708
solves this?

=Dennis Heimbigner

On 2/21/2023 12:02 PM, Ward Fisher wrote:
> New Staff Reply: support for FISMA in netcdf-c
>
> Hi Ed,
>
> We've talked about it, and adding a flag to turn off network functionality
> to be effectively fisma compliant (insofar as turning off all the
> networking functionality goes) is pretty easy, and I think we can work that
> in for the next release.  A convenience flag, really, and we'll document it
> as such.  We probably won't reference FISMA directly, since we don't want
> to inadvertently assume any responsibility for compliance with this or any
> other federal law; the situation that leaps to mind is an introduction of
> new networking functionality that doesn't get added to the flag
> immediately, or perhaps a modification to the law that changes what
> compliance looks like, and we don't catch that.  In any event, the end
> result will be the same.
>
> Thanks, I'll open an issue for us to put a PR out against!
>
> -Ward
>
> address@hidden> wrote:
>
>> New Ticket: support for FISMA in netcdf-c
>>
>> Guys,
>>
>> There's a thing called FISMA - from wikipedia:
>>
>> Federal Information Security Management Act of 2002 is a United States
>> federal law enacted in 2002 as Title III of the E-Government Act of 2002.
>> The act recognized the importance of information security to the economic
>> and national security interests of the United States.
>>
>> What this means in practice is that some HPC systems don't want any code
>> that can reach out across the network and talk to other systems. They would
>> just prefer to build packages like netcdf-c without this capability. For
>> this reason, we are modifying the spack recipe for netcdf-c to have a fisma
>> option, which will build with --disable-dap --disable-nczarr
>> --disable-byterange.
>>
>> (Sorry Dennis, they don't want your excellent and fun features on their
>> supercomputers! But aside from security issues, they would not work well
>> anyway. If 10K processors all opened a file over opendap at the same time,
>> the network would be overwhelmed and all 10K processers would grind to a
>> halt and just burn money.)
>>
>> What I suggest is that we add an option --enable-fisma, off by default,
>> which will disable all code that violates this fisma rule, and that will
>> make it easy for federal labs to use this netcdf. If you guys then add even
>> more remote options to netCDF, just ensure they have a disable option, and
>> that option is selected by --enable-fisma.
>>
>> I will suggest the same to the HDF5 team...
>>
>> Thanks,|
>> Ed
>>
>>
>>
>> Ticket Details
>> ===================
>> Ticket ID: IPK-827602
>> Department: Support netCDF
>> Priority: Normal
>> Status: Open
>> Link:
>> https://andy.unidata.ucar.edu/staff/index.php?_m=tickets&_a=viewticket&ticketid=33955===================
>> NOTE: All email exchanges with Unidata User Support are recorded in the
>> Unidata inquiry tracking system and then made publicly available through
>> the web.  If you do not want to have your interactions made available in
>> this way, you must let us know in each email you send to us.
>>
>>
>
>
> Ticket Details
> ===================
> Ticket ID: IPK-827602
> Department: Support netCDF
> Priority: Normal
> Status: Open
> Link:  
> https://andy.unidata.ucar.edu/staff/index.php?_m=tickets&_a=viewticket&ticketid=33955
>



Ticket Details
===================
Ticket ID: IPK-827602
Department: Support netCDF
Priority: Normal
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.