Which is odd considering the number of Macs rumored to be used by NIST, but of course that is arbitrary and only an amusing factoid if even true.
Its not clear to me what determines NIST's priorities on operating system security guidance, especially when Agencies are being so critically evaluated by FISMA / SCAP / Cyberscope. The number of OS X and various mobile operating systems clearly must
outweigh RHEL in numbers in the Federal government, although perhaps not when considering mission critical systems, although that might not be true either. I really do not know for sure, but have asked myself "why" the lack of focus on Apple Operating Systems
for years. It has played out for many years that NSA / DoD / Apple derived guidance over shadows anything NIST has ever produced for Apple operating systems. Even then, Federal guidance for OS X its usually not ready for one OS X release before the next
version of OS X is released, offering a short windows for implementation until its redundant again, further complicated operating system requirements by new Apple hardware.
In my opinion, it could be due to the Apple's lack of fully functional built-in OFFICIALLY APPLE SUPPORTED compatibility with Federal requirements such as HSPD-12, OMB M-11-11, etc. Another reason in my opinion, is the rapid release cycle from Apple which
is only compounded by the veil of secrecy and lack of confidence the federal space has in the future releases. Most if not all Federal agencies have no assurance in what security features will remain in Apple provided operating systems from one version to
the next, year after year, what will be deprecated / left limping with lack of adequate support, or what will be removed entirely and cease to be a feature. In comparison, in my opinion Microsoft and Redhat have very long life-cycles, are more transparent,
and very responsive to federal requirements as well as their participation in meeting in some cases setting the industry security standards.
Just my observations and opinions.
Ridley DiSiena, CISSP
On Aug 29, 2013, at 11:28 AM, "Moore, Dallas" < email@hidden>
wrote:
Not really. Last I checked, USGCB only covered Windows desktop OSes and RHEL.
v/r
Dallas Moore
Information Security Analyst
U.S. House of Representatives
Desk: 202-226-9760
Mobile: 202-815-5472
Is there anything useful out of USGCB?
Walter Rowe, Hosting Services
Enterprise Systems / OISM
Email: email@hidden
Work: 301-975-2885
|