[Fed-Talk] C&A Macs in the Army
[Fed-Talk] C&A Macs in the Army
- Subject: [Fed-Talk] C&A Macs in the Army
- From: "Emmons, James M Mr CIV USA USAMC" <email@hidden>
- Date: Mon, 3 Mar 2008 10:38:24 -0700
(Yes, a subject line change to reflect a minor topic change.)
Greetings,
This is most definitely an "it depends" type question. Are you
currently under the ATO of a DOIM? How about the guys next door? Do you
have a current ATO for your other systems in the office? (And your desktop
systems as well as all your other AIS should have been accredited a long
time ago... You may be facing your tri-ennial re-accreditation.)
Yes C&A is most definitely an expensive and time consuming process.
Not the least of which is the cost to "hire" one of the nine authorized ACAs
for the Army (hint: USA ISEC IASED at Ft. Huachcua is pretty good - IMNSHO
the best. Well, the other are OK as well ;-) who perform the actual C&A and
make a recommendation to OIA&C at the CIO/G-6, who in turn make their
recommendation (not necessarily the same as the ACA's) to the DAA. (I
believe all of the ACAs are in reimbursable organizations.)
If you've seen the memo from OMB, it discusses imposing a common
configuration because of the change to Vista - not because they are
"starting" with Windows. They see a chance to get everyone in the
government (yeah - right) on the same sheet of music with regard to locking
down their Windows-based desktop computers. (Note: Army and DOD have been
in the forefront of doing this - as the memo states)
As a Certifier, when I come in, I look to your IASO/IAM to provide
me the following (to start - there's a lot more involved): Processes: Are
your patches up to date? How do you patch your machines? And keep track of
them? (Processes anyone? Bueller?) Have you applied the STIGs/SRR
Scripts/Security Checklists to your systems? (For Macs, this is the
security configuration guide provided by Apple.) Are you meeting the
requirements of DODD 8500.1, DODI 8500.2, and AR 25-2. How are the system
access logs kept, and who reviews them how often? anti-virus/anti-malware
software installed and their definitions up to date? You probably have most
of this already in place; you just have to expand it a bit to enfold the
non-covered systems, Windows, Macs, Linux, etc., you have there.
Yes, when NETCOM issues their Macintosh Golden Master, we'll be
looking at that as well. But when we go out to a site and see Macintoshes,
we look beyond them (or any OS really) to ensure the GIG/LandWarNet/NIPRNET
is kept as secure as possible - no Windows jokes here, please.
We look at everything we can to ensure that the risk your systems
present to the GIG/LandWarNet/NIPRNET is minimized. If you are operating
under a DOIM, check out the ICAN BBP
(https://www.us.army.mil/suite/doc/7908880) to see what needs to be done - I
suspect you will fall under the DOIM's ATO. (Find someone there who can at
least *spell* Mac - otherwise you may just get a blanket "Not authorized."
which is not true, but it is easy to say.)
If you aren't under a DOIM, but already have an ATO for your Windows
systems, your DAA (you) needs to review that ATO to determine the impact of
adding your Macs to the ATO. If there is negligible risk, they may be
added without requiring a new C&A. If, on the other hand, your DAA
determines that the level of change is significant enough, you may have to
go for a new ATO. Is your DAA willing to accept the risk?
Magic terms for Army types: Read and understand AR 25-2 (the new
release) and go over the BBPs available on AKO. If you have questions, call
one of the ACAs for advice. Again: We're pretty good - IMNSHO the best.
Good luck - and remember: Illegitimi non carborundum.
James Emmons
Computer Scientist CISSP GSEC
Information Assurance and Security Engineering Directorate
U.S. Army Information Systems Engineering Command
Disclaimer: The above is mine and not my employer's. It does not reflect
the position of the U.S. Army, or of the Information Assurance and Security
Engineering Directorate. Any statements made, should like other advice, be
checked out carefully prior to implementing any element of this statement.
Please do not go to your IAM or DOIM and tell them "Well, Jim said so." I
get laughed at enough already. Be safe, be secure - look before you leap.
And don't piss off your IASO, IAM, DOIM, or DAA.
Date: Thu, 28 Feb 2008 15:26:26 -0500
From: "Darius Kwiedorowicz" <email@hidden>
Subject: [Fed-Talk] Re: UPM Decision, Someday is Here
To: email@hidden
Cc: email@hidden
Message-ID:
<email@hidden>
Content-Type: text/plain; charset=ISO-8859-1
Keith:
U.S. Army NETCOM is working on a Army Golden Master (AGM) for OS X
Leopard. Limited deployment is scheduled for March 2008. See:
https://www.us.army.mil/suite/doc/10098504
Darius M. Kwiedorowicz
email@hidden
> Date: Wed, 27 Feb 2008 10:58:21 -0600
> From: "J. Keith Putnam" <email@hidden>
> Subject: [Fed-Talk] Re: UPM Decision, Someday is Here [UNCLASSIFIED
> To: <email@hidden>
> Message-ID: <C3EAF2CD.1BE60%email@hidden>
> Content-Type: text/plain; charset="US-ASCII"
>
> Classification: UNCLASSIFIED
> Caveats: NONE
> Regarding the dire prediction, from June 07, below; Someday is here.
>
> I am being told that all systems(ISs) must be accredited by this summer.
> Further, non-Windows XP, unclassified systems must be accredited
separately
> from the XP accreditation, through their own accreditation process. This
> accreditation is very expensive, we are told, and must be born by
whichever
> group chooses to not use Windows XP. I am also told that, if Joe Blow, in
> the next building has his five Macs accredited for $100K, that my need
for
> accreditation, and funding, is in no way mollified.
>
> Basically, in order to keep our Macs, we would have to quit paying one of
> the people that use them.
>
> I would be pleased to hear from anyone who can offer me hope on this.
>
> Keith Putnam
>
> UPM Decision [Fed-Talk] Digest, Vol 4, Issue 151
>
> On 6/7/07 1:03 PM, "email@hidden"
> <email@hidden> wrote:
>
> >
> > OMB is starting with Windows XP since it is the most widely used OS in
the
> > Federal Government. And Vista adoption is coming very soon. This is a
> > phased approach towards covering all Operating Systems, eventually to
> > include Macintosh OSX.
> >
> > I believe that someday (I don't know OMB's strategy) that OMB will
> > require, as part of C&A/FISMA, all OSX installations will be required
to
> > have standardized security controls applied.
> >
> > Someday (maybe soon), any computer that has not undergone Certification
> > and Accreditation will not be permitted to operate!
> >
> > It is in the Federal Macintosh community's best interest to ensure that
> > OSX STIGs are available, that they work, do not break applications, can
be
> > monitored, and they are approved by the powers to be.
> >
>
> Classification: UNCLASSIFIED
> Caveats: NONE
> --
> Keith Putnam
> Stanley Associates
> Software Engineering Directorate
> 256-876-0363
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden