This week DISA released an update to their RHEL7 STIG content, incrementing their release from V1R1 to V1R2. This update was unexpected; updates were not coordinated with DoD, NSA, NIST, or Red Hat — so what exactly changed?
There was recently a great post on Red Hat’s gov-sec mailing list that asked about random number generation inside virtual machines, what constitutes “weak cryptography,” how to increase performance, and generally make things better while staying inside Federal guidelines. Lets take this opportunity to trace through RHEL’s FIPS certifications to make a risk decision on what tools+techniques […]
Placing information systems on government networks requires system owners to follow the NIST Risk Management framework, or an agency-specific tailored variant of it. Following this framework requires extensive documentation — even the government provided “Guide for Applying the Risk Management Framework to Federal Information Systems” is 102 pages long! The OpenControl project was created to […]
Earlier today (Fri 3-FEB-2017), SPAWAR released a beta edition of their SCAP Compliance Checker 4.2 Beta 1, also known as SPAWAR SCC. Their tool works across multiple operating systems and their latest release “adds NIST 800-53 mappings to reports when CCE/CCI references are included in the content.” The inclusion of NIST and CCE metadata is extremely helpful […]
Initial guidance on configuring RHEL7 against NIST 800-171/CUI has been developed. Below is a short(ish) background on NIST 800-171/Controlled Unclassified Information, sample security compliance guides and reports, and how you can give feedback (or participate!) on this work.