I wanted to try and clear something up a little. I’m pretty sure everyone on here
knows that the NSA-approved security configuration guides for Panther and Tiger
are posted on the nsa.gov site.
I keep seeing a lot of people up in arms about there not
being a standard configuration for OS X like there is for Windows. Folks – the guides posted on the
nsa.gov site are essentially what the Windows guides were in their earlier
forms. Producing them is an
iterative process. The OS X guides
are maturing far more rapidly than the Windows guides did.
My understanding is that NIST has not been doing STIGs for a
while now because they have been simply referring customers to the current
guides on the nsa.gov site.
Finally, I believe Shawn has already stated this, but in
case anyone missed it, let me bring it up again – the Tiger guides are
currently being developed at Apple.
But they are a joint effort by Apple, NSA, NIST and DISA at this
point. We are doing this to make
sure that the guides retain the level of security we feel they should have, but
so that we can pull in the STIG-like elements to make it easier for those
having to do certifications.
Because of this collaboration, and some unforeseen delays,
the guides didn’t come out as soon as we would have liked. Yes, we would have preferred that they
came out when Leopard did. That
wasn’t possible. But they
will be coming out soon – I believe in April (I keep forgetting what the
schedule says, but I’m sure Shawn will correct me if I have that wrong.)
Kimberly Cummings Hersh
Apple Team Lead
NSA Systems and Network Analysis Center (SNAC)
410-854-5192
email@hidden