Re: [Fed-Talk] DoD STIGs, DRRs
Re: [Fed-Talk] DoD STIGs, DRRs
- Subject: Re: [Fed-Talk] DoD STIGs, DRRs
- From: Amanda Walker <email@hidden>
- Date: Mon, 21 Nov 2005 12:43:52 -0500
On Nov 21, 2005, at 11:53 AM, Peter Link wrote:
I am researching the ways the DoD community handles the
configuration management and certification of their computer
systems. I found the DoD IA Portal <http://iase.disa.mil/>and
started looking at all the publications but was interested in some
first-hand experience by fellow Mac users. Is this part of your
operational policy? Do you actively use the STIGs, DRRs,
checklists, etc.? The versions I found are for 10.2, are there
published updates for Tiger? Do you have different versions for
unclassified and classified systems? Thanks for the help.
Hi Peter,
I can give a contractor perspective. In my experience, certifying
Macs is a lot easier than certifying Windows boxes.
We actively use both the STIGs, the Common Criteria configuration
guide, and the NSA MacOS X configuration guidelines (which all have a
fair amount of overlap). The biggest problem with these, as you
noted, is that they tend to be a bit out of date. However, our DSS
office is happier with the policy of staying current (especially re:
security updates) than sticking with an older version of the OS. The
10.2 documents are, overall, still quite applicable to 10.4. Most of
this stuff, to be honest, is just a description of good practice in
general. For classified systems, DSS drives the train. Mostly, they
have checklists that they will run down when they do an inspection
(password policies, for example), and scanners that they will run on
the systems (this is where having a Mac is a win, since there's so
little Mac malware floating around).
It all comes down to who you have to answer to (that is, who's doing
the accreditation/certification). DISA and DSS have somewhat
different criteria, and many DoD organizations have their own
accreditation manuals & checklists. For example, I have to answer to
both DSS (facilities clearance, classified computers, safes, etc.)
and my customer, who has a Basic Accreditation Manual for development
contracts. This latter document generally follows DISA guidelines,
but has some of its own quirks. Many organizations are not very
familiar with Macs, so you may have a harder time convincing your
internal IA & IT folks than you will with getting the official stamp
of approval. Sometimes a little education helps--noting that the NSA
guide describes MacOS X as very secure is a nice start, for
example :-). Our IT department started out pushing against the the
use of Macs (just because they weren't familiar with them), but have
now gotten sufficiently burned out over chasing the Outlook Virus Of
the Day that they're starting to come around :-).
Are you interested in overall DoD policy, or are you trying to gauge
how hard it would be to certify Macs at LLNL? If it's the latter,
I'd start by talking to your local FSO and/or IA folks, to see what
guidelines and checklists they already have.
Amanda Walker
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden