Re: [Fed-Talk] Disabling sslv2 on ssh
Re: [Fed-Talk] Disabling sslv2 on ssh
- Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
- From: Joshua Krage <email@hidden>
- Date: Thu, 26 Feb 2009 15:16:05 -0500
Its not every day I get to correct Tim Miller... usually its the
other way around. :)
There _is_ a waiver process for FIPS140-2. Paragraph 16 on page "vi".
16. Waiver Procedure. Under certain exceptional circumstances, the
heads of Federal agencies, or their
delegates, may approve waivers to Federal Information Processing
Standards (FIPS), for their agency. The
heads of such agencies may redelegate such authority only to a senior
official designated pursuant to
Section 3506(b) of Title 44, U.S. Code. Waivers shall be granted only
when compliance with a standard
would
a. adversely affect the accomplishment of the mission of an operator
of Federal computer system or
b. cause a major adverse financial impact on the operator that is not
offset by government-wide
savings.
...
...
--
-----------------------------------------------------------------
email@hidden, CISSP, CEH
NASA GSFC Chief Information Security Officer, and IT Security Manager
On Feb 26, 2009, at 10:41 AM, Miller, Timothy J. wrote:
Oh, heck no. FIPS 140 applies to all unclassified cryptographic
modules
used in government systems per the Federal Information Security
Management
Act (FISMA 44 USC S 3541).
Classified modules and designated national security systems fall
under NSA's
purview, where I'm wiling to bet OpenSSL is probably going to fly
like a
lead balloon.
Whoever's feeding you this from NETWARCOM needs to go back and
review his
compliance requirements ASAP. Because the system will get audited
and it
will fail on this requirement. There are no statutory processes for
FIPS
compliance waivers.
-- Tim
On 2/25/09 9:04 AM, "Losasso, Jonathan E IT3 CCG, N63"
<email@hidden> wrote:
Word I got was FIPS only applies to non-military agencies and
contractors.
Thus netwarcom's bypass
-Jonathan
-----Original Message-----
From: Miller, Timothy J. [mailto:email@hidden]
Sent: Tuesday, February 24, 2009 14:59
To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
Not surprised, but you should hit them back on that. FIPS
compliance is
Federal law.
-- Tim
On 2/24/09 4:55 PM, "Losasso, Jonathan E IT3 CCG, N63"
<email@hidden> wrote:
In order to be compliant with netwarcom, openssl needs to be the
newest version (0.9.8j), funny huh.
-----Original Message-----
From: Miller, Timothy J. [mailto:email@hidden]
Sent: Tuesday, February 24, 2009 14:25
To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
On 2/23/09 4:30 PM, "Losasso, Jonathan E IT3 CCG, N63"
<email@hidden> wrote:
Tim - We are running the latest version of openssl 0.9.8j, had to
compile on my own as apple is sometimes slow to release updates, so
not exactly the version that ships with leopard.
Which is still not FIPS compliant. The OpenSSL FIPS Object Module
will only work with OpenSSL 0.9.7. See:
http://www.oss-institute.org/fips-faq.html
http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pd
f
On how to get FIPS compliant with OpenSSL.
This is a DIACAP requirement, so you're going to run into it
sooner or
later.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@nasa.gov
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden