This week DISA released an update to their RHEL7 STIG content, incrementing their release from V1R1 to V1R2. This update was unexpected; updates were not coordinated with DoD, NSA, NIST, or Red Hat — so what exactly changed?
There was recently a great post on Red Hat’s gov-sec mailing list that asked about random number generation inside virtual machines, what constitutes “weak cryptography,” how to increase performance, and generally make things better while staying inside Federal guidelines. Lets take this opportunity to trace through RHEL’s FIPS certifications to make a risk decision on what tools+techniques […]
Placing information systems on government networks requires system owners to follow the NIST Risk Management framework, or an agency-specific tailored variant of it. Following this framework requires extensive documentation — even the government provided “Guide for Applying the Risk Management Framework to Federal Information Systems” is 102 pages long! The OpenControl project was created to […]
Earlier today (Fri 3-FEB-2017), SPAWAR released a beta edition of their SCAP Compliance Checker 4.2 Beta 1, also known as SPAWAR SCC. Their tool works across multiple operating systems and their latest release “adds NIST 800-53 mappings to reports when CCE/CCI references are included in the content.” The inclusion of NIST and CCE metadata is extremely helpful […]
Initial guidance on configuring RHEL7 against NIST 800-171/CUI has been developed. Below is a short(ish) background on NIST 800-171/Controlled Unclassified Information, sample security compliance guides and reports, and how you can give feedback (or participate!) on this work.
The Defense in Depth Workshop has brings Red Hat Security Engineering leads to McLean, VA for a day of collaboration and networking. It’s a chance for you to learn about the latest developments (upstream and enterprise) directly from the developers, and for Red Hat engineering to hear directly from you and better understand the challenges you’re […]
Over the past 1-2 years we’ve been working across Public Sector to open source security baselines used within our defense, intelligence, and civilian communities. These baselines ultimately end up shipping natively in RHEL (and it’s derivatives, such as CentOS), which greatly reduces the time it takes to get Red Hat-based systems accredited on government networks. Today […]
In 2013, a few Red Hatters wanted to host a security-focused technology day. After running the idea past our DoD/IC/Civilian communities, we hosted the first “Defense in Depth” day in June 2013. Over 2 years, Defense in Depth has become the largest technical event of Red Hat Public Sector — second to the Red […]