It's not just the IA folks. The DoD regs are written in such a way that they only grudgingly accept that software can exist as its own thing.
The DoD by and large certifies SYSTEMS meaning a bundle of hardware and software. That makes sense when certifying an F-16 or an Abrams tank because they are bundled packages of hardware and software, but it is maddening when trying to work on say a web app or database.
A team I was on wanted to use a particular open source app and was told we couldn't because it wasn't authorized -- but it was bundled as part of the Oracle DBMS. So the ruling was that if we installed the Oracle DBMS on our desktops we could use it because that is how it was approved. But wait, another rule said we CAN'T run a DBMS on our desktops. ARGH!
That said it IS possible to use open source software. We use SVN and Tortoise SVN at work and it is explicitly on an approved products list. Another team is developing Java apps on Linux using Eclipse. But the only reason it is there is because an organization took the time to go through the test and evaluation process and submitted a request for approval to the network security gods (who are NOT your local IA people most likely) and waited 6-9 months for it to get through the review backlog. So it is possible, and your IA people SHOULD be in the business of helping you get to YES instead of just saying NO -- but the reality is many of them don't know how to get to yes because it can be a convoluted maze, so they just default to no for everything.
The DoD by and large certifies SYSTEMS meaning a bundle of hardware and software. That makes sense when certifying an F-16 or an Abrams tank because they are bundled packages of hardware and software, but it is maddening when trying to work on say a web app or database.
A team I was on wanted to use a particular open source app and was told we couldn't because it wasn't authorized -- but it was bundled as part of the Oracle DBMS. So the ruling was that if we installed the Oracle DBMS on our desktops we could use it because that is how it was approved. But wait, another rule said we CAN'T run a DBMS on our desktops. ARGH!
That said it IS possible to use open source software. We use SVN and Tortoise SVN at work and it is explicitly on an approved products list. Another team is developing Java apps on Linux using Eclipse. But the only reason it is there is because an organization took the time to go through the test and evaluation process and submitted a request for approval to the network security gods (who are NOT your local IA people most likely) and waited 6-9 months for it to get through the review backlog. So it is possible, and your IA people SHOULD be in the business of helping you get to YES instead of just saying NO -- but the reality is many of them don't know how to get to yes because it can be a convoluted maze, so they just default to no for everything.