Re: [Fed-Talk] Disabling sslv2 on ssh
Re: [Fed-Talk] Disabling sslv2 on ssh
- Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
- From: Joshua Krage <email@hidden>
- Date: Thu, 26 Feb 2009 17:09:42 -0500
I'm pulling out my razor to split hairs here...
I did miss the web page update. I'm not sure that a web page is a
binding policy statement, though I certainly concede it sets
expectations.
FISMA requires the Secretary (of Commerce) to make standards
compulsory and binding, "to the extent determined necessary by the
Secretary..." (ยง11331 (b)(2)).
So I'll contend that the published FIPS, since it has not been
modified, stands as it is still within the scope of authority for
NIST. The last change notice to the FIPS was 2002-12-03, so that was
after FISMA's enactment, and further supports my contention.
In the end, however, I have to agree with you that you are closer to
being right on this than I am. Darn it! :)
And yes, 140-3 further changes things. Note that the whole FIPS 140-2
preamble -- the FIPS announcement portion, etc. which would include
the waiver process, is not present in the draft of 140-3. There is
still time to add that in... :)
--
-----------------------------------------------------------------
email@hidden, CISSP, CEH
NASA GSFC Chief Information Security Officer, and IT Security Manager
On Feb 26, 2009, at 4:26 PM, Miller, Timothy J. wrote:
On 2/26/09 2:16 PM, "Joshua Krage" <email@hidden> wrote:
Its not every day I get to correct Tim Miller... usually its the
other way around. :)
I've been wrong before, and I'll be wrong again...
There _is_ a waiver process for FIPS140-2. Paragraph 16 on page
"vi".
...but this is not one of those times. :)
FIPS 140-2 predates FISMA (140-2 was approved in 2001, FISMA passed in
2002), and the statute from which FIPS derived authority prior to
FISMA
allowed waivers. Not any more. Note what the NIST FIPS
Publications page
says:
"""
With the passage of the Federal Information Security Management Act
of 2002,
there is no longer a statutory provision to allow for agencies to
waive
mandatory Federal Information Processing Standards (FIPS).
Therefore, the
references to the "waiver process" contained in many of the FIPS are
no
longer applicable. ).
"""
http://csrc.nist.gov/publications/PubsFIPS.html
Also, check FIPS 140-3 Draft; there's no waiver process mentioned,
nor is
there one defined in FISMA itself:
http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden