Re: [Fed-Talk] Security Guides -> SCAP
Re: [Fed-Talk] Security Guides -> SCAP
- Subject: Re: [Fed-Talk] Security Guides -> SCAP
- From: "Rowe, Walter" <email@hidden>
- Date: Mon, 28 Jan 2013 14:27:28 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Security Guides -> SCAP
Perhaps part of the problem is that "committees" only write / agree / disagree with documents. There needs to be a consolidated laboratory where content and tools are actually produced, and in a timely manner. With appropriate resources (cough, cough), and corresponding vendor NDAs, this "laboratory" could work with vendors a priori to be ahead of the product releases or at least very soon after versus years after or not at all. I will use JAMF Casper Suite as an example. I know they participate in the Apple Developer program in some fashion. They have updates for OS X within days of official OS X releases. What they don't have is formal guidance on necessary controls for these OS X releases that would be required / recommended for use in the Civilian / Defense arenas. The point is that someone(s) have to evaluate these new releases, with the assistance of the vendors who know their own products, and generate the new control guidelines and the methods for implementing these controls. Even if the Government would pay someone like Mitre to staff such a laboratory and do this work that would be an improvement over today.
-- Walter Rowe, System Hosting Enterprise Systems / OISM 301-975-2885
On Jan 28, 2013, at 2:16 PM, Shawn Geddis < email@hidden> wrote: On Jan 28, 2013, at 1:34 PM, "Rowe, Walter" < email@hidden> wrote: Shawn,
That's a nice thought, but the SCAP content is no more up-to-date than the STIGs / CIS docs / etc. The latest OS X SCAP content is 10.6.8. The latest iOS SCAP content is 4.3.5. See the attached screenshot. How will the SCAP content be maintained in a more timely manner than the STIGs, etc? If that isn't answered, then the process is no better other than potentially providing tools to implement the controls versus writing our own scripts for Casper, for example.
Walter
Walter,
I can't fix every broken process by myself.... :-) If it takes a village to raise a child, it will take.... to fix the process.
• There are additional repositories help by various third-parties. • There are also some US Federal Agencies who apparently choose to not share that content outside of their building walls - not sure why.
In working with NSA, there was already iOS 5 guidance along with associated SCAP Content that will be submitted to the SCAP-On-Apple project.
I guess I will reiterate my previous closing question: Are you going to take the role of a Player or remain a Monday Morning Quarterback ?
- Shawn ________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: Christopher Thomas <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: David Solin <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Link, Peter R." <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: Matt Linton <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |