Proxmox in a US Federal environment?
- Thread starter dpearceFL
- Start date
I'm curious, what would you need to comply with to run it? [In a US Federal setting. It might also bring others out of the woodwork as a thought exercise.]
Are you looking to offer your "cloud" solution to the US Federal govt? I would start at: https://www.fedramp.gov/cloud-service-providers/
Frankly this US government agency is looking for alternatives to Red Hat OpenShift. Broadcom/VMware has taken themselves out of consideration. We're a Linux shop so Hyper-V is a no go. I've been using Proxmox for internal projects very successfully. But unfortunately there are many requirements for using SW from other countries, even Austria.
If anyone has tried to use Proxmox in this environment, I'd like to hear from you.
If anyone has tried to use Proxmox in this environment, I'd like to hear from you.
I think one of the hurdles is that Proxmox would need to significantly expand their presence in the US (specifically support hours. For Enterprise you really need 24/7 with a 3-hour response time SLA.)
/ wouldn't mind being hired on to do that sort of thing myself, I'm loving PMVE
/ wouldn't mind being hired on to do that sort of thing myself, I'm loving PMVE
Getting sued in a US jurisdiction for breach of SLA by a third party subcontractor, what's not to like. That's why they leave it to "partners" ... which you can be.
Would be interested in future plans in this as well.
US clearance based enterprises would benefit if Proxmox (Company) offered US-Based Support with better SLA options.
US clearance based enterprises would benefit if Proxmox (Company) offered US-Based Support with better SLA options.
Proxmox Server Solutions GmbH doesnt need to be in the GSA; the provider does. I am not aware of any limits precluding the use of pve within any US government applications as Austria is not on any restriction list, and even if it were, one could theoretically fork it to make an "American" version.
It's not just about the country per se, one would need to - as you implied - fork the sources and maintain them up to the standards required, this is simply not the case with this open source project. It's a bit like if Red Hat was offering nothing other than Fedora and then suggested whoever wants is free to fork it and maintain to the required standard.
And that's not going to change, so PVE is simply not the solution to go for with the use case, it's not on the roadmap either, that's about it.
I think everyone is missing the real point. In order to achieve an "authority to operate" or ATO in the federal space, all IT system owners must complete a "system security plan" based on the Privacy and Cybersecurity Framework as defined in NIST 800-53r5.
Now, if a service provider (like any system owner) has built a service using PVM and it has been "ATO'd" and adopted into the FedRAMP catalog following NIST 800-37, then any consumer of that service can inherit the security of the underling service. The question is, what are the requirements detailed in "Federal Information Security Management Act of 2002" or FISMA which drive all of the need for NIST?
Well this is where the conversation concerning foreign ownership and open/closed source code are relevant. There is no reason why PVM can't be a viable solution for hypervisors in US federal environments. But someone needs to build a system with PVM and go through the security assessment process to see what the issues are and find solutions for them. This has been the case for thousands of software and hardware products over the last couple of decades; with those products worth their merit surviving the assessment. Usually, much better for it.
Now, if a service provider (like any system owner) has built a service using PVM and it has been "ATO'd" and adopted into the FedRAMP catalog following NIST 800-37, then any consumer of that service can inherit the security of the underling service. The question is, what are the requirements detailed in "Federal Information Security Management Act of 2002" or FISMA which drive all of the need for NIST?
Well this is where the conversation concerning foreign ownership and open/closed source code are relevant. There is no reason why PVM can't be a viable solution for hypervisors in US federal environments. But someone needs to build a system with PVM and go through the security assessment process to see what the issues are and find solutions for them. This has been the case for thousands of software and hardware products over the last couple of decades; with those products worth their merit surviving the assessment. Usually, much better for it.