>Now this is just silly -- having just come from a small company which
>for better or worse sought and received FIPS certification for a network
>security product, I'd like to point out that such certification _is_
>attainable at a level of expense most small companies can pony up, and
>_does_, as the term `certify' suggests, warrant that certain statements
>are true of a certified product.

I figure that if a BSD company wanted to get a BSD certified they could. The
problem would be in having it complete enough for general use and recertifing
it every few years. My feeling is that certification may not buy enough to 
offset cost and most importantly labor. The US government RFPs usually request
an operating system be at C2-capibility or above. While the C2 OSs are fairly
current, they are usually 1-2 years behind the latest version. In NetBSD terms,
1.5.3 and 1.6.0 would have been OKed recently. 

We use certifable systems because it gives the customer the "warm & fuzzies" 
and gives enough room to lock the machine down if either side sees the need.
I would love to recommend NetBSD or any other BSD as a solid system for mission
operational or support systems. I simply don't see a company taking a BSD 
through the CC process. If one did, I would love to bid a contract with it.

-Andy Wallis