[Fed-Talk] DSS/Auditing/CCC
[Fed-Talk] DSS/Auditing/CCC
- Subject: [Fed-Talk] DSS/Auditing/CCC
- From: Shawn Geddis <email@hidden>
- Date: Tue, 12 Apr 2005 17:43:35 -0400
You missed my point: :-)
"Several facilities have already done this."
=====>>>> The statement included DSS staff directly!
The only area folks previously had issues with completing the
paperwork for NISPOM Certification was with Chapter 8 relating to
Auditing. The Auditing Services that are fully available relating to
CC and beyond, meet those requirements and hence allowed "several"
organization to complete there NISPOM paperwork. Apple can't do the
paperwork for you, but we have provided everything for folks to
complete their NISPOM paperwork and have their systems approved for
classified networks.
Prior to the release of the Common Criteria Certification, I
personally had almost twenty "organizations" under NDA working with
the Auditing services and all of them, to my knowledge, got their
systems approved for use on Classified Networks. Again, this "early
access group" included folks from DSS.
If you need a DSS contact, I will gladly provide offline.
-Shawn
On Apr 12, 2005, at 11:04 AM, Kit Plummer wrote:
Shawn,
You've missed my point. It is not a technical issue. I am
completely aware of the CC stuff. However, there are very, very
few people on the other side of the fence that are. It is a red-
tape problem. DSS, in my world, is not prepared to handle anything
other than Windows and maybe Solaris. So, seeking approval for
anything else is, in most cases futile. Indeed, the process for
getting approval is so twisted we rarely get past internal security
personnel.
Kit
On Apr 12, 2005, at 7:53 AM, Shawn Geddis wrote:
Full auditing has been included in Mac OS X 10.3.6 / OS X Server
since 10.3.6 when applying the Common Criteria Tools (final audit
pieces). This auditing will provide what you need to meet NISPOM
(Chapter 8) Auditing requirements for DSS approval. Several
facilities have already done this.
For more information on the Common Criteria Certification as well
as the auditing:
Common Criteria Introduction:
http://www.apple.com/support/security/commoncriteria/
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
On Apr 12, 2005, at 10:28 AM, Kit Plummer wrote:
Paul,
DSS = Defense Security Service (http://www.dss.mil)
By "classify" I mean utilizing OS X in a "classified" area. In
my case, a closed lab. Certification means nothing. DSS
authorization means everything.
Having said that, there is a benefit of the certification. It
means that there is a glimmer of hope that we will be able to
account for everyone one of DSS's auditing requirements. For
every system in a classified environment we must go through the
"certification" process. Really, it is quite foolish - but, at
some point there must be accountability.
You'd think that after the first "clearance" it would be smooth
sailing. Not true. Bureaucrats need there empires I guess.
Kit
On Apr 11, 2005, at 7:20 PM, Paul D Yu wrote:
Kit
What are DSS issues? and What do you mean classify OS X systems?
OS X 10.3 went through some certification already right?
Paul
On Apr 11, 2005, at 5:37 PM, Kit Plummer wrote:
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
US Federal Government email@hidden
Apple Computer, Inc.
1892 Preston White Drive
Reston, VA 20191
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden