Author name: Bruce

There are differences between the old DIACAP (being phased out), DoD RMF for IT and NIST RMF. What is “DIACAP”? It stands for Department of Defense Information Assurance Certification & Accreditation Process and it is based on the old DoDI 8510.01 and DoD 8500 documents. The process was designed to make absolutely sure federal systems have security on them. With the constant exponential evolution of information technology this process has had to change to keep up with the times. DIACAP is being replaced with DoD Risk Management Framework for Information Technology (DoD RMF for IT). This process has more granularity, more detailed, more frequent and covers many new technology that was not covered by DIACAP. DoD RMF for IT is actually based fundamentally on NIST SP 800-37, Risk Management Framework.    

STIG Update - DISA has released the following IAVM packages DISA has released the following IAVM packages: http://iase.disa.mil/stigs/Pages/iavm.aspx AIX 6.1 Ver 1, Rel 21 Apple OS 10.10 Workstation Ver 1, Rel 10 Apple OS 10.8 Workstation Ver 1, Rel 14 Apple OS 10.9 Workstation Ver 1, Rel 11 BlackBerry 10 OS Ver 1, Rel 12 Cisco IOS Ver 1, Rel 12 HP-UX 11.31 Ver 1, Rel 21 MAC OS X 10.6 Ver 1, Rel 21 Oracle Linux 5 Ver 1, Rel 14 Oracle Linux 6 Ver 1, Rel 14 RHEL 5 Ver 1, Rel 21 RHEL 6 Ver 1, Rel 19 Solaris 10 SPARC Ver 1, Rel 21 Solaris 10 x86 Ver 1, Rel 21 Solaris 11 SPARC Ver 1, Rel 14 Solaris 11 x86 Ver 1, Rel 14 Windows 7 Ver 1, Rel 19 Windows 8 and 8-1 Ver 1, Rel 19 Windows 2008 R2 Ver 1, Rel 19 Windows 2008 Ver 1, Rel 19 Windows 10 Ver 1, Rel 5 Windows 2012 and 2012 R2 Ver 1, Rel 17 Windows Vista Ver 1, Rel 19 For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

This is a quick introduction to Step 2 of the Risk Management Framework NIST 800-37 process. Step 2 involves selection of NIST Special Publication 800-53 security controls. There are (3) main tasks that you must do in this step: 1) Select the applicable baseline controls. Selection of baseline controls is based on system categorization. 2) Tailor the Security Controls to the system. Not all security controls can be used because they may break your system. And in some cases they are simply not applicable. There are also Common Controls, Hybrid controls, and system specific controls. 3) Document the Security Controls. You must document the selected security controls in a system security plan and have the security controls reviewed.

This is an introduction to Step 1, Categorization of the NIST SP 800-37, Risk Management Framework process. Categorization consists of three primary steps: 1) Determining the Security Categorization of the information system. This is done by breaking down the primary information types on the system. You can get great guidance on this from FIPS 199 and NIST SP 800-60 (Volume I-II). 2) Create a System Description. This is really the first step to creating a System Security Plan and it leads to registering the systems. 3) Register the system. This means that you need to advertise the the system to all the stakeholders of the system in the organization. Organizations usually have a method of doing this with a database that can be seen by upper-level management.      

STIG Update – Microsoft Windows 10 STIG, V1R4 DISA has updated the Microsoft Windows 10 STIG Version 1 Release 4.  The requirements of the STIG become effective immediately.  The STIG is available on IASE at http://iase.disa.mil/stigs/os/windows/Pages/win10.aspx. For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

STIG Update - DISA has released the LG Android 6.x STIG Version 1 DISA has released the LG Android 6.x STIG Version 1. The requirements of the STIG become effective immediately. The STIG is available on IASE at http://iase.disa.mil/stigs/mobility/Pages/smartphone.aspx. Under the LG Section For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

STIG Update - DISA has developed the following documents related to Infoblox 7.x Domain Name System (DNS) STIG Version 1 DISA has developed the following documents related to Infoblox 7.x Domain Name System (DNS) STIG Version 1. This STIG is available on the NIPRNET at http://iase.disa.mil/stigs/net_perimeter/network-other/Pages/index.aspx For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

STIG Update – DISA has released the Blackberry BES 12.3.x STIG Version 1 DISA has released the Blackberry BES 12.3.x STIG Version 1. The requirements of the STIG become effective immediately. The STIG is available on IASE at http://iase.disa.mil/stigs/mobility/Pages/smartphone.aspx. Under the Mobile Device Management section. For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

DISA has released the Apple OS X 10.11 STIG Version 1.  The requirements of the STIG become effective immediately.  The STIG is available on IASE at http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx. For all STIG related questions, please contact the DISA STIG Customer Support Desk: disa.stig_spt@mail.mil

Risk Management is being aware of and taking actions to prepare for probable unfavorable outcomes. Risk Management Framework is a process the implement risk management in an organization. There are (6) steps to the RMF: 1. Categorize 2. Select 3. Implement 4. Assess 5. Authorize 6. Continuous Monitoring More on the Risk Management Framework Steps here: http://diarmfs.com/risk-management-framework-steps/