I cannot believe that DISA is still maintaining a manual STIG for
MacOS! Are they unaware of the availability of Mac-compatible
open-source tools for SCAP scanning?
On 1/25/2013 2:35 PM, Christopher
Thomas wrote:
DISA released an update to their STIG
for Mac OS 10.6, has there been any talk between Apple and
DISA on a security guideline for Lion or Mountain Lion? In
this arena, does anyone know of any automated tool to manage
Mac OS to comply with STIG Guidelines or has anyone created
scripts to effect the guidelines? The steps for implementing
STIG’s on Mac OS are manual and must be re-done with each
update to the OS to insure the update did not reset settings.
Further, is there any current information on FIPS compliance
for Apple implementation of whole disk encryption in Lion or
Mountain Lion?
Assuming that Apple has some internal clock on ending support
to Snow Leopard, Lion/Mountain Lion need to get into the
reviewed arena.
For reference on STIG’s
http://iase.disa.mil/stigs/os/mac/mac.html
“The Security Technical
Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled
devices/systems. Since 1998, DISA Field Security Operations
(FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security
Technical Implementation Guides (STIGs). The STIGs contain
technical guidance to "lock down" information
systems/software that might otherwise be vulnerable to a
malicious computer attack. DISA FSO is in the process of
moving the STIGs towards the use of the NIST Security
Content Automation Protocol (S-CAP) in order to be able to
“automate” compliance reporting of the STIGs.
A STIG Security Checklist, typically a companion of a STIG,
is essentially a document that contains instructions or
procedures to manually verify compliance to a STIG. STIGs
have been under optimization efforts since 2008 to begin to
combine the STIG and STIG Security Checklist into one
document. Currently, however, you will still find instances
where there are still STIGs with accompanying STIG
Checklists.”
On 1/25/13 3:00 PM, "email@hidden"
<email@hidden>
wrote:
Send Fed-talk mailing list
submissions to
email@hidden
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with subject or body 'help' to
email@hidden
You can reach the person managing the list at
email@hidden
When replying, please edit your Subject line so it is more
specific
than "Re: Contents of Fed-talk digest..."
Today's Topics:
1. Re: EAP-TLS Authentication with CAC on iPad or iPhone
(Matt Stier)
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Jan 2013 14:55:23 -0500
From: Matt Stier <email@hidden>
To: Shawn Geddis <email@hidden>
Cc: "email@hidden
Talk" <email@hidden>
Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on
iPad or
iPhone
Message-ID: <email@hidden">email@hidden>
Content-Type: text/plain; charset="windows-1252"
Thank you for the links, but that is not what I was
referring to earlier. Maybe my mind is not serving me as
well as it normally does, but I could have sworn there was
one or two products from Apple on the Modules In-Process
list in block 1 for several months and then all of a sudden
they were removed from the process altogether. It may have
been two years ago. Again, it may just be I am not
remembering it correctly.
On a separate note, do you know if apple plans to support
smart cards natively in the future?
-Matt
Matt Stier, CISSP/CWNA/ACMA
SPAWAR, Atlantic
Phone: 843.321.WLAN (9526) | Fax 843.218.6605
Email: email@hidden
On Jan 25, 2013, at 1:32 PM, Shawn Geddis wrote:
> On Jan 25, 2013, at 1:07 PM, Matt Stier <email@hidden>
wrote:
>> If I am not mistaken, Apple (cannot remember if it
was OSX or iOS related) was on the list roughly a year ago,
but was removed for some reason either by Apple or another
entity. That is what I was referring to in my "thankfully"
the comment.
>
> Matt,
>
> I believe what you may be referring to is the
completion of the FIPS 140-2 Conformance Validation for
Apple's CDSA/CSP module still available in OS X Lion v10.7
for use by Third-Party Developers. OS X Lion was using the
newer CoreCrypto / CoreCrypto Kernel modules, but we
intentionally re-validated the CDSA/CSP module for
third-party developers still using it at the time. Another
example of Apple following through with commitments to the
US Federal Government.
>
> Modules appear on the Modules In-Process List [1][2]
until they are complete and then move to the Validated
Modules list [3][4] by CMVP.
>
> Apple FIPS Cryptographic Module (Software Version: 1.1)
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1701
> ...on 3/30/2012
>
>
> This was a re-validation of the same module used by Mac
OS X SnowLeopard v10.6.
>
> Apple FIPS Cryptographic Module (Software Version: 1.0)
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1514
> ...on 03/09/2011
>
>
> [1] http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
> [2] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
> [3] http://csrc.nist.gov/groups/STM/cmvp/validation.html
> [4] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
>
>
> - Shawn
> ________________________________________
> Shawn Geddis T (703)
264-5103
> Security Consulting Engineer C (703) 623-9329
> Apple Enterprise Division email@hidden
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20130125/b8130619/attachment-0001.html>
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
https://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 10, Issue 17
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|