Re: [Fed-Talk] Re: UPM Decision, Someday is Here [UNCLASSIFIED
Re: [Fed-Talk] Re: UPM Decision, Someday is Here [UNCLASSIFIED
- Subject: Re: [Fed-Talk] Re: UPM Decision, Someday is Here [UNCLASSIFIED
- From: Michael <email@hidden>
- Date: Wed, 27 Feb 2008 13:38:06 -0500
While I don't know the specifics I can put together a rough idea.
Assume management says that all computer systems for security reasons
have to have the DISA configuration applied via the DISA Gold Disk
system and that manually applying DISA configurations is not
acceptable. Only Win2K, WinXP, and a couple others have the DISA
Gold Disk system which will evaluate a system and apply fixes for
most of the configuration issues (even DISA says you can't just
blindly apply the Gold Disk without testing to confirm it does not
have side effects). Without a DISA approved automated tools for
configuration evaluation you get into a problem, you create work for
management and they come up with a solution, require the
configuration to be applied and verified by a third party.
Management usually takes the easy route. Requiring DISA Gold Disk
accreditation for all systems is an obvious path forward. Requiring
automated accreditation of all systems is an obvious solution to all
problems.
There are other tools and for specific groups of systems our security
has a commercial tool (I forget the name) that they use for
accreditation for all OS's, but then our security tends to place more
emphasis on OS's and programs that are the source of most of security
failures rather then pounding square pegs in round holes, i.e.
issuing blanket directives that only make sense for Windows. Though
requiring PKZip encryption for all sensitive Word documents came from
somewhere...
Michael
On Feb 27, 2008, at 1:11 PM, Peter Link wrote:
Keith,
What accreditation process are they using for the XP systems,
FDCC, DISA? You mention that all OSX installations will be required
to have standardized security controls applied. Why aren't you
doing that right now? Apple, NSA, and CIS have released security
configuration documents all the way back to 10.3. NSA and DISA have
approved the Apple-created Tiger (10.4) security configuration
manual, http://www.nsa.gov/snac/downloads_macOSX10_4Server.cfm?
MenuID=scg10.3.1.1 (I couldn't find the quick reference to DISA
approving the use of Apple's manual and not creating one of their
own.).
We're not a DoD site, we (LLNL) reports to NNSA/DOE, but we have
approved OSX configurations for both our unclassified and
classified networks.
If you're wondering when a Leopard (10.5) security configuration
manual will be released, you'll need to get that information
directly from Apple, mailto://email@hidden (or wait for
one of them to answer on this forum).
At 10:58 AM -0600 2/27/08, J. Keith Putnam wrote:
Classification: UNCLASSIFIED
Caveats: NONE
Regarding the dire prediction, from June 07, below; Someday is here.
I am being told that all systems(ISs) must be accredited by this
summer.
Further, non-Windows XP, unclassified systems must be accredited
separately
from the XP accreditation, through their own accreditation
process. This
accreditation is very expensive, we are told, and must be born by
whichever
group chooses to not use Windows XP. I am also told that, if Joe
Blow, in
the next building has his five Macs accredited for $100K, that my
need for
accreditation, and funding, is in no way mollified.
Basically, in order to keep our Macs, we would have to quit paying
one of
the people that use them.
I would be pleased to hear from anyone who can offer me hope on this.
Keith Putnam
UPM Decision [Fed-Talk] Digest, Vol 4, Issue 151
On 6/7/07 1:03 PM, "email@hidden"
<email@hidden> wrote:
OMB is starting with Windows XP since it is the most widely used
OS in the
Federal Government. And Vista adoption is coming very soon.
This is a
phased approach towards covering all Operating Systems,
eventually to
include Macintosh OSX.
I believe that someday (I don't know OMB's strategy) that OMB will
require, as part of C&A/FISMA, all OSX installations will be
required to
have standardized security controls applied.
Someday (maybe soon), any computer that has not undergone
Certification
and Accreditation will not be permitted to operate!
It is in the Federal Macintosh community's best interest to
ensure that
OSX STIGs are available, that they work, do not break
applications, can be
monitored, and they are approved by the powers to be.
Classification: UNCLASSIFIED
Caveats: NONE
--
Keith Putnam
Stanley Associates
Software Engineering Directorate
256-876-0363
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
The contents of this message are mine personally and do not reflect
the views or position of the U.S. Department of Energy, Federal
Government, National Nuclear Security Administration, Lawrence
Livermore National Security, or Lawrence Livermore National
Laboratory.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden