[Fed-Talk] RE: C and A package
[Fed-Talk] RE: C and A package
- Subject: [Fed-Talk] RE: C and A package
- From: "Jim Emmons" <email@hidden>
- Date: Wed, 27 Dec 2006 11:47:08 -0700
Hi Chris,
Yup - C&A is certification and accreditation, otherwise known as pain and
suffering.
Before trying to answer your big question, a few little ones back at you:
Is your base's IA office looking to add your Macs to the current
accreditation, or are they treating it as a separate effort?
DIACAP (implement immediately) or DITSCAP (obsolete)?
Have you looked at the Mac STIG
(http://iase.disa.mil/stigs/stig/mac-stig-v1r1.pdf). (It is out of date,
but easily modified to meet your needs.)
There is, quite obviously, no DISA Gold Disk for the Mac, so you'll
have to do the STIG manually and record the results. Be careful if you are
using your Macs for any productive use as you meander into the STIG.
When you scan the machines, make sure you are using the right scanner
configuration files; Nessus has a pre-defined set, and (IIRC) so does eEye.
(Interestingly enough, I was told by a "Help Desk" type that before I could
put my gov't issue Mac on the NIPRNET, they had to scan it to be sure I had
the correct DLLs installed, and the the ENHPASFLT.dll *had* to be on the
Mac. I've tried, but for some reason, the DLLs just won't work on this Mac.)
Talk to your unit's IASO/IAM (unless that is you) to have him/her determine
and define exactly what is needed to get past this.
Talk to the IA office and find out what is acceptable to them - do they want
a full-up SSAA/SIP, an appendix, simple scan results, or what? Or are they
just so blind to systems that aren't in their experience that they just do
the NIMBY thing?
If they are just trying to make sure the Macs are secure, they may just want
scan results - using eEye's Retina or other AFCERT authorized tool.
I hope the above helps focus your effort - yes, C&A is a pain - but
in the end, it is necessary - even for our beloved Macs.
Jim
James Emmons
Computer Scientist CISSP GSEC IAM
Information Assurance and Security Engineering Directorate
U.S. Army Information Systems Engineering Command
(C) 520.538.6920
(DSN) 879-6920
-----Original Message-----
Message: 1
Date: Wed, 27 Dec 2006 07:40:37 -0700
From: Bojanower P Chris Civ 75 CS/SCXH <email@hidden>
Subject: [Fed-Talk] C and A package
To: "'email@hidden'" <email@hidden>
Message-ID:
<email@hidden>
Content-Type: text/plain; charset="us-ascii"
Due to a security incident at my base, us few Mac users have been pushed
into the spotlight of the bases IA office. I have been tasked to develop a C
and A Package (Certification and Accreditation - I think) before we can but
them back on the network.
I have never had to do one of these before, so I am looking at some that
where done for other systems here on base (Unix mostly) but if anyone has
one I can use as a template, I can sure use the help.
Thank You
Chris Bojanower
75 CS/SCXH
Hill AFB, UT
(801) 586-8324
DSN 586-8324
-------------- next part --------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden