Re: [Fed-Talk] Encryption (UNCLASSIFIED)
Re: [Fed-Talk] Encryption (UNCLASSIFIED)
- Subject: Re: [Fed-Talk] Encryption (UNCLASSIFIED)
- From: "Porter, Michael A ERDC-RDE-ITL-MS Contractor" <email@hidden>
- Date: Thu, 25 Feb 2016 16:10:04 +0000
- Thread-topic: [Fed-Talk] Encryption (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
I'm not knowledgeable of any possible extra requirements the VA may have, but we use FileVault 2 here and it is the recommended solution to data at rest requirements in the DOD STIGs. Below is one of the checks from the OSX 10.10 workstation STIG provided by DISA:
http://iase.disa.mil/stigs/os/mac/Pages/index.aspx
Rule Title: The operating system must protect the confidentiality and integrity of all information at rest.
STIG ID: AOSX-10-000780 Rule ID: SV-74121r1_rule Vuln ID: V-59691
Severity: CAT II Class: Unclass
Discussion:
FileVault Disk Encryption must be enabled. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. FileVault Disk Encryption mitigates this risk.
Documentable: No
Check Content:
To check if FileVault 2 is enabled, run the following command:
sudo fdesetup status
If FileVault is 'Off' and the device is a laptop, this is a finding.
Fix Text:
Open System Preferences >> Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.
Alternately, from the command line, run the following command to enable FileVault:
sudo fdesetup enable
After FileVault is initially set up, additional users can be added.
CCI: CCI-001199
NIST SP 800-53 :: SC-28
NIST SP 800-53A :: SC-28.1
NIST SP 800-53 Revision 4 :: SC-28
Respectfully,
Andy
-----Original Message-----
From: fed-talk-bounces+michael.a.porter=email@hidden [mailto:fed-talk-bounces+michael.a.porter=email@hidden] On Behalf Of Alan Lesse
Sent: Thursday, February 25, 2016 9:51 AM
To: Fed Talk
Subject: [Fed-Talk] Encryption
I work at a VA Hospital and we have a grant to do some large data analysis and wanted to put some Macs on our network. Despite the fact that Yosemite has been approved (with constraints) on the most recent One-VA Technical Reference Model v16.2 (1/4/2016), and the CoreCrypto module is FIPS 140-2 certified (El Capitan is One TRM approved but the CryptoModule is still waiting I believe), I am told that since File Vault is not on the approved list of encryption programs, the laptop must be encrypted with an approved third party product.
My logic is that if the module and the OS are certified and File Vault is part of the OS, the program does not have to appear on the list to use it. Sticky notes, Calculator, and Paint are all part of the Windows environment that do not appear on lists of approved programs, but we are allowed to use those applications. I do realize that disk encryption should have a higher level of security then desktop apps, but I don’t understand why FileVault is not recognized if it’s part of the OS. I am told that I can request use at TRM.
Has anyone been able to use a Mac in the VA or other Federal environment with File Vault? My experience with third party disk encryption programs has not been stellar.
Alan Lesse
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Classification: UNCLASSIFIED
Caveats: NONE
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden