• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] FISMA SP 800-53 Audit configurations?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] FISMA SP 800-53 Audit configurations?

  • Subject: Re: [Fed-Talk] FISMA SP 800-53 Audit configurations?
  • From: Peter Thoenen <email@hidden>
  • Date: Mon, 01 Oct 2012 20:36:55 -1000
 > I think there is a impedance mismatch between the rate that Apple keeps releasing new OSes and the rate the government
> can generate new documentation to keep up. 

Not really, your user base is a captive audience hence they have no choice.  They are stuck with using old version until the appropriate NCP providers update their documentation, the same as with any other standard; IT isn't magically different.  On top of it the newer OS X releases aren't FIPS 140-2 compliant yet (still in the eval stage) so not allowed to use anyways in production given FIPS is a mandatory minimum standard IAW FISMA and organizations wishing to use a non-FIPS approved product have to publish a notice in the Federal Register [not that this ever happens].  

BTW I'm preaching policy here, not in reality.  In reality we all know the GAO / OMB / Agency IG's have zero teeth so Agencies are free to ignore the law at whim and do hence the push for iOS devices across Federal space (and the prevalence of PuTTY for example).  I've been doing this for nearly twenty years now and I can't recall the last time I seen somebody lose their job/suspended/etc for violating the law by pushing the usage of a non-FIPS approved product while also not publishing a corresponding notice in the register, I'm not going to hold my breath either.  

Only reason I bring it all up (I usually try and stay quiet) is you framed your original posting in contexts of FISMA and NIST SP800-53 rev3 controls :).  If you want to do it right then pick one of those two checklists until USGCB releases their configuration guidance for OS X and you will comply with 800-53 rev3 CM-6 and 800-70.  If you don't care (most folk don't) then run with whatever you want .. personally I would go with the CIS one myself if outside Federal space (https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform).  CIS is acknowledged by NCP as a valid checklist for Federal usage but the problem is it fails the 800-70 order of precedence in selecting a checklist requirement.  That being said I've always been partial to their products :)

-Peter

On Mon, Oct 1, 2012 at 6:33 PM, Todd Heberlein <email@hidden> wrote:
Thanks!  Wow, that is a lot of layers of documents. My collection is growing every day.

 I seem to recall a short discussion here when the Snow Leopard STIG came out (I think Lion was shipping at the time). 

Todd


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >[Fed-Talk] FISMA SP 800-53 Audit configurations? (From: Todd Heberlein <email@hidden>)
 >Re: [Fed-Talk] FISMA SP 800-53 Audit configurations? (From: Peter Thoenen <email@hidden>)
 >Re: [Fed-Talk] FISMA SP 800-53 Audit configurations? (From: Todd Heberlein <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] FISMA SP 800-53 Audit configurations?
  • Next by Date: [Fed-Talk] Good App & Organization App Stores
  • Previous by thread: Re: [Fed-Talk] FISMA SP 800-53 Audit configurations?
  • Next by thread: Re: [Fed-Talk] Good App & Organization App Stores
  • Index(es):
    • Date
    • Thread