[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 221
[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 221
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 221
- From: Ron Backman <email@hidden>
- Date: Mon, 21 Nov 2005 19:57:37 -0800
Amanda,
I am the Network Security Officer for a large Navy RDT&E center. I
encourage our users to utilize the DISA STIG's in configuring their
systems.. The intent of issues with OSX between 10.2 and 10.4 is not
not that different. The Common Criteria Auditing service is not that
useful. It's just a lot of auditing. less performance and a lot more
work for the SysAdmin. Applying Apple patches goes a long way to
keeping the desktops reasonably secure. The story with Windows 2000
is not quite the same as the STIG gives a lot of useful suggestions
to consider.
STIG compliance is still a big plus for the certification process. I
encourage my customers to consider STIG guidelines where it makes
sense. The documents are well written and are usually kept current
within 6-12 months. The STIG's apply the same whether the systems
are unclassified or classified. Those classifications relate only to
the nature of the data, not the security of the operating systems.
Our IA Division is very heavy into Mac/OSX as it's is the easiest to
keep current and rather secure. But most of our users are required
to use Windows XXX and that's a lot of work.
Also built-in support for the DoD CAC Smartcard is another plus.
Ron Backman
On Nov 21, 2005, at 11:53 AM, Peter Link wrote:
I am researching the ways the DoD community handles the
configuration management and certification of their computer
systems. I found the DoD IA Portal <http://iase.disa.mil/>and
started looking at all the publications but was interested in some
first-hand experience by fellow Mac users. Is this part of your
operational policy? Do you actively use the STIGs, DRRs,
checklists, etc.? The versions I found are for 10.2, are there
published updates for Tiger? Do you have different versions for
unclassified and classified systems? Thanks for the help.
Hi Peter,
I can give a contractor perspective. In my experience, certifying
Macs is a lot easier than certifying Windows boxes.
We actively use both the STIGs, the Common Criteria configuration
guide, and the NSA MacOS X configuration guidelines (which all have a
fair amount of overlap). The biggest problem with these, as you
noted, is that they tend to be a bit out of date. However, our DSS
office is happier with the policy of staying current (especially re:
security updates) than sticking with an older version of the OS. The
10.2 documents are, overall, still quite applicable to 10.4. Most of
this stuff, to be honest, is just a description of good practice in
general. For classified systems, DSS drives the train. Mostly, they
have checklists that they will run down when they do an inspection
(password policies, for example), and scanners that they will run on
the systems (this is where having a Mac is a win, since there's so
little Mac malware floating around).
It all comes down to who you have to answer to (that is, who's doing
the accreditation/certification). DISA and DSS have somewhat
different criteria, and many DoD organizations have their own
accreditation manuals & checklists. For example, I have to answer to
both DSS (facilities clearance, classified computers, safes, etc.)
and my customer, who has a Basic Accreditation Manual for development
contracts. This latter document generally follows DISA guidelines,
but has some of its own quirks. Many organizations are not very
familiar with Macs, so you may have a harder time convincing your
internal IA & IT folks than you will with getting the official stamp
of approval. Sometimes a little education helps--noting that the NSA
guide describes MacOS X as very secure is a nice start, for
example :-). Our IT department started out pushing against the the
use of Macs (just because they weren't familiar with them), but have
now gotten sufficiently burned out over chasing the Outlook Virus Of
the Day that they're starting to come around :-).
Are you interested in overall DoD policy, or are you trying to gauge
how hard it would be to certify Macs at LLNL? If it's the latter,
I'd start by talking to your local FSO and/or IA folks, to see what
guidelines and checklists they already have.
Amanda Walker
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden