Re: [Fed-Talk] Disabling sslv2 on ssh
Re: [Fed-Talk] Disabling sslv2 on ssh
- Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 26 Feb 2009 17:23:02 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Disabling sslv2 on ssh
On 2/26/09 4:09 PM, "Joshua Krage" <email@hidden> wrote:
> FISMA requires the Secretary (of Commerce) to make standards
> compulsory and binding, "to the extent determined necessary by the
> Secretary..." (ยง11331 (b)(2)).
>
> So I'll contend that the published FIPS, since it has not been
> modified, stands as it is still within the scope of authority for
> NIST. The last change notice to the FIPS was 2002-12-03, so that was
> after FISMA's enactment, and further supports my contention.
I would never accuse NIST of perfect consistency. :)
> In the end, however, I have to agree with you that you are closer to
> being right on this than I am. Darn it! :)
That's been NIST's position since FISMA passed. It's been no end of a PITA
programmatically since there were lots of things that held waivers that were
suddenly scrambling to catch up. Note how backed up the CMVP labs have been
since then.
In the end, though, it only matters what your approval authority will
accept. In the DoD, though, we have DIACAP and a general push to roll
approval authority *upwards*--both of which result in less flexibility on
these kinds of things. This is both a feature (it helps to stop more of the
stupid) and a bug (it also stops the smart-but-not-quite-compliant).
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden