Author name: Bruce

DISA has released the following updated Security Guidance, Security Readiness Review Scripts and Benchmarks: Unclassified SRGs:  http://iase.disa.mil/stigs/srgs/Pages/index.aspx Application Server SRG Ver 2, Rel 2 Domain Name System (DNS) SRG Ver 2, Rel 4 Network Device Management SRG Ver 2, Rel 3 Router SRG – Ver 2, Rel 2 Web Server SRG Ver 2, Rel 2 Unclassified Application STIGs/SRGs:  http://iase.disa.mil/stigs/app-security/Pages/index.aspx Access 2007 STIG – Ver 4, Rel 12 Apache 2.2 UNIX STIG Ver 1, Rel 8 Apache 2.2 Windows STIG Ver 1, Rel 8 Email Services Policy STIG Ver 2, Rel 6 Excel 2007 STIG Ver 4, Rel 12 Exchange 2010 Edge STIG Ver 1, Rel 10 Exchange 2010 Hub STIG Ver 1, Rel 10 Google Chrome Browser STIG for Windows Ver 1, Rel 3 IIS 7 STIG Ver 1, Rel 9 Infopath 2007 STIG Ver 4, Rel 12 Internet Explorer 10 STIG Ver 1, Rel 11 McAfee Virus Scan 8.8 Local Client STIG Ver 5, Rel 7 Mcafee Virus Scan 8.8 Managed Client STIG Ver 5, Rel 8 Microsoft Sharepoint 2010 STIG Ver 1, Rel 7 Mcrosoft Sharepoint 2013 STIG Ver 1, Rel 2 Mozilla Firefox STIG Ver 4, Rel 13 Office 2010 Overview Ver 1, Rel 12 Office System 2007 STIG Ver 4, Rel 14 Oracle 11.2g Database STIG Ver 1, Rel 5 Oracle Database 11g Database STIG Ver 8, Rel 15 Outlook 2007 STIG Ver 4, Rel 15 Outlook 2010 STIG Ver 1, Rel 11 Outlook 2013 STIG Ver 1, Rel 5 PowerPoint 2007 STIG Ver 4, Rel 14 SQL Server 2012 STIG Ver 1, Rel 8 Word 2007 STIG Ver 4, Rel 14 Unclassified Network STIGs:  http://iase.disa.mil/stigs/net_perimeter/Pages/index.aspx Bind DNS STIG Ver 4, Rel 1.19 Defense Switched Network (DSN) STIG Ver 2, Rel 7 Enclave Test and Development STIG Ver 1, Rel 2 F5 BIG_IP Device Mangement 11.x STIG Ver 1, Rel 2 IPSEC VPN Gateway STIG Ver 1, Rel 10 MultiFunction Device and Network Printers STIG Ver 2, Rel 7 Network Firewall STIG Ver 8, Rel 19 Network Infrastructure Router L3 Switch STIG Ver 8, Rel 19 Network L2 Switch STIG Ver 8, Rel 19 Network Other Devices STIG Ver 8, Rel 19 Network Perimeter Router L3 Switch STIG Ver 8, Rel 21 Network WLAN STIG Ver 6, Rel 10 Remote Access Policy STIG Ver 2, Rel 10 Voice and Video over Internet Protocol (VVoIP) Policy STIG Ver 3, Rel 7 Voice and Video over Internet Protocol (VVoIP) STIG Ver 3, Rel 7 Windows Server 2012 DNS STIG Ver 1, Rel 2 Unclassified Mobility STIGs:  http://iase.disa.mil/stigs/mobility/Pages/index.aspx BlackBerry Enterprise Service 10.2.x BlackBerry Device Service STIG Ver 1, Rel 4 BlackBerry OS 7 STIG Ver 2, Rel 9 Unclassified Operating System STIGs: http://iase.disa.mil/stigs/os/Pages/index.aspx Apple OS X 10.10 Workstation STIG Ver 1, Rel 2 AIX 6.1 STIG Ver 1 Rel 5 ESXi5 Server Ver 1, Rel 8 HP UX 11.23 Manual STIG Ver 1, Rel 7 HP UX 11.31 Manual STIG Ver 1, Rel 8 Oracle Linux 5 Manual STIG Ver 1, Rel 4 Oracle Linux 6 Manual STIG Ver 1, Rel 4 Red Hat 5 Manual STIG Ver 1 Rel 12 Red Hat 6 STIG Ver 1 Rel 9 Solaris 10 SPARC Manual STIG Ver 1, Rel 12 Solaris 10 x86 Manual STIG Ver 1 Rel 12 Solaris 11 SPARC Manual STIG Ver 1, Rel 5 Solaris 11 x86 Manual STIG Ver 1, Rel 5 Windows 2008 DC STIG Ver 6, Rel 31 Windows 2008 MS STIG Ver 6, Rel 31 Windows 2008 R2 DC STIG VER 1, Rel 17 Windows 2008 R2 MS STIG Ver 1, Rel 17 Windows 2012 and 2012 DC STIG Ver 2, Rel 3 Windows 2012 and 2012 MS STIG Ver 2, Rel 3 Windows Vista STIG Ver 6, Rel 38 Windows 7 STIG Ver 1, Rel 21 Windows 8/8.1 STIG Ver 1, Rel 11 zOS ACF2 STIG Ver 6, Rel 25 zOS RACF STIG Ver 6, Rel 25 zOS TSS STIG Ver 6, Rel 25 FOUO HBSS: http://iase.disa.mil/stigs/hbss/Pages/index.aspx NOTE: DoD PKI Certificate Required HBSS Agent Handler STIG  Ver 1, Rel 6 HBSS Asset Baseline Monitor STIG Ver 4, Rel 8 HBSS ePO 4.5 Rollup STIG Ver 4, Rel 12 HBSS ePO 4.5 Site STIG Ver 4, Rel 14 HBSS ePO 4.6 STIG Ver 4, Rel 15 HBSS ePO 5.1 STIG Ver 1, Rel 6 HBSS HIP 8 Firewall STIG Ver 1, Rel 5 HBSS HIP 8 STIG Ver 4, Rel 13 HBSS Remote Console STIG Ver 4, Rel 11 McAfee MOVE STIG Overview – Ver 1, Rel 1 McAfee MOVE Agentless 3.0 SVA STIG Ver 1, Rel 2 McAfee MOVE Agentless 3.0 VSEL for SVA STIG Ver 1, Rel 2 McAfee MOVE Multi-Platform 2.6 Client STIG Ver 1, Rel 3 McAfee MOVE Multi-Platform 2.6 OSS STIG Ver 1, Rel 3 FOUO Network Perimeter:  http://iase.disa.mil/stigs/net_perimeter/Pages/index.aspx NOTE:  DoD PKI Certificate Required DoD Secure Telecommunications and DRSN STIG Ver 1, Rel 6 REL LAN STIG Ver 1, Rel 8 Benchmarks: http://iase.disa.mil/stigs/scap/Pages/index.aspx AIX 6.1 STIG Benchmark Ver 1, Rel 5 HP-UX 11.23 STIG Benchmark Ver 1 Rel 8 HP-UX 11.31 STIG Benchmark Ver 1 Rel 9 Internet Explorer 10 STIG Benchmark Ver 1, Rel 6 Microsoft .NET Framework 4 STIG Benchmark Ver 1, Rel 3 Outlook 2010 STIG Benchmark Ver 1, Rel 2 Red Hat 5 STIG Benchmark Ver 1, Rel 13 Red Hat 6 STIG Benchmark Ver 1, Rel 9 Solaris 10 SPARC STIG Benchmark Ver 1, Rel 12 Solaris 10 x86 STIG Benchmark Ver 1, Rel 12 Solaris 9 SPARC STIG Benchmark Ver 1, Rel 12 Windows 2008 DC STIG Benchmark Ver 6, Rel 33 Windows 2008 MS STIG Benchmark Ver 6, Rel 33 Windows 2008 R2 DC STIG Benchmark Ver 1, Rel 19 Windows 2008 R2 MS STIG Benchmark Ver 1, Rel 19 Windows 2012 and 2012 R2 DC STIG Benchmark Ver 2, Rel 3 Windows 2012 and 2012 R2 MS STIG Benchmark Ver 2, Rel 3 Windows 7 STIG Benchmark Ver 1, Rel 27 Windows 8/8.1 Benchmark Ver 1, Rel 12 Windows Vista Benchmark Ver 6, Rel 41 STIGs no longer supported: 

DISA has released the Oracle 12c Database STIG Version 1.  The requirements of this STIG become effective immediately.  The STIG is available on IASE at: http://iase.disa.mil/stigs/app-security/database/Pages/oracle.aspx.

DISA has developed the Draft Authentication Brokerage Services STIG, Version 1. The Draft STIG is available at http://iase.disa.mil/stigs/app-security/app-servers/Pages/idam.aspx  for review and comment. Please provide comments, recommended changes, and/or additions to the draft STIG by 9 November 2015 on the Comment Matrix spreadsheet, and send comments via NIPRNet email to:  disa.stig_spt@mail.mil.  Include the title and version of the STIG in the subject line of your email.

DISA has released the following IAVM packages: http://iase.disa.mil/stigs/Pages/iavm.aspx AIX 6.1 Ver 1, Rel 14 Apple OS 10.10 Workstation Ver 1, Rel 3 Apple OS 10.8 Workstation Ver 1, Rel 7 Apple OS X 10.9 Workstation Ver 1, Rel 4 BlackBerry 10 OS Ver 1, Rel 5 Cisco IOS Ver 1, Rel 6 HP-UX 11.23 Ver 1, Rel 14 HP-UX 11.31 Ver 1, Rel 14 MAC OS X 10.6 Ver 1, Rel 14 Oracle Linux 5 Ver 1, Rel 7 Oracle Linux 6 Ver 1, Rel 7 RHEL 5 Ver 1, Rel 14 RHEL 6 Ver 1, Rel 12 Solaris 10 SPARC Ver 1, Rel 14 Solaris 10 x86 Ver 1, Rel 14 Solaris 11 SPARC Ver 1, Rel 7 Solaris 11 x86 Ver 1, Rel 7 Solaris 9 SPARC Ver 1, Rel 14 Solaris 9 x86 Ver 1, Rel 14 Windows 2008 Ver 1, Rel 12 Windows 2008 R2 Ver 1, Rel 12 Windows 2012 and 2012 R2 Ver 1, Rel 10 windows 8 and 8-1 Ver 1, Rel 12 Windows Vista Ver 1, Rel 12

DISA has released the Apple iOS9 Draft Configuration Table. Until an iOS9 STIG can be posted, the iOS 9 Configuration Table can be used as Interim guidance to secure iOS 9. The document is available on http://iase.disa.mil.

Draft Microsoft Windows 10 Security Technical Implementation Guide (STIG) Defense Information Systems Agency Risk Management Executive office has released the draft Windows 10 STIG Version 1.  Please provide comments, recommended changes, and/or additions to the draft STIG by 23 October 2015 on the Comment Matrix spreadsheet.  The draft STIG and spreadsheet are available at: http://iase.disa.mil/stigs/os/windows/Pages/win10.aspx.

The Department of Defense finally released the Directive for Cyberspace workforce management on 11 Aug 2015.  This means that the DODI (instruction) is not far behind.  The instruction will be more in the weeds.  It is where the “magic happens”.  Directives are very high level policy that gives instructions their power to exist. Cyberspace Workforce Management - http://www.dtic.mil/whs/directives/corres/pdf/814001_2015_dodd.pdf The Cyberspace Workforce Management directive does the following: Reissues and renumbers DoD Directive (DoDD) 8570.01 (Reference (a)) to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce. Authorizes establishment of a DoD cyberspace workforce management council to ensure that the requirements of this directive are met. Unifies the overall cyberspace workforce and establishes specific workforce elements (cyberspace effects, cybersecurity, and cyberspace information technology (IT)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements. Cyberspace Workforce Applies to: Office of the Secretary of Defense (OSD) Military Departments (Army, Navy, Air Force, Marines) Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff Combatant Commands Office of the Inspector General of the Department of Defense (IG DoD) Defense Agencies Field Activities DoD Components It is DoD policy does the following: Maintains a total force management perspective to provide qualified cyberspace government civilian and military personnel to identified and authorized positions, augmented where appropriate by contracted services support. These personnel function as an integrated workforce with complementary skill sets to provide an agile, flexible response to DoD requirements. [Make sure] the appropriate mix of military and government civilian positions and contracted support designated to perform cyberspace work roles is determined in accordance with DoD Instruction (DoDI) 1100.22 (Reference (b)) Civilian, military, and contracted support personnel assigned to perform cyberspace work roles must meet qualification standards established in supporting issuances, in addition to other existing workforce qualification and training requirements assigned to billets and position requirements (e.g., acquisition, intelligence, communications). DoD Component compliance with this directive is monitored via authoritative manpower and personnel systems as an element of mission readiness and as a management review item. Nothing in this directive replaces or infringes the responsibilities, functions, or authorities of the DoD Component heads or other OSD officials as prescribed by law or Executive order, assigned in chartering DoDDs, or detailed in other DoD policy issuances or, as applicable, in Director of National Intelligence policy issuances. All authorized users of DoD IT receive initial cybersecurity and information assurance awareness orientation as a condition of access, and thereafter must complete annual cybersecurity and information assurance refresher awareness. 8570_to_8140_01_2015_dodd

Announcement of the Draft Red Hat JBoss Enterprise Application Platform 6.3 (EAP) Security Technical Implementation Guide (STIG) Version 1 DoD has developed the Draft Red Hat JBoss Enterprise Application Platform 6.3 (EAP) Security Technical Implementation Guide (STIG) Version 1. This STIG is available on the NIPRNET at http://iase.disa.mil/stigs/app-security/app-servers/Pages/JBoss.aspx for review and comment. Please provide comments, recommended changes, and/or additions to the draft STIG by 28 August 2015 on the Comment Matrix spreadsheet. Comments should be sent via NIPRNet email to: disa.stig_spt@mail.mil with the title and version of the STIG in the subject line.

DISA has released “Best Practices Guide for Department of Defense Cloud Mission Owners” which is available at http://iase.disa.mil/cloud_security/Pages/index.aspx This site provides a knowledge base for cloud computing security processes and cloud service provider (CSP) security requirements. DISA has developed the following DRAFT documents related to Cloud Computing Security and the use/integration of Cloud Computing in DoD which are available for community review and feedback/comments: • Draft Cloud Computing Security Requirements Guide (SRG), Version 1 Release 2 • Draft Cloud Access Point (CAP) Functional Requirements Document (FRD) V2.2 • Draft Concept of Operations (CONOPS) for Cloud Computer Network Defense (CND) v1 The Draft documents and a Comment Matrix for each (in a .zip file) are available below. Please provide comments by COB 22 August 2015 on the Comment Matrix associated with each document via one unclassified email for each comment matrix to: disa.letterkenny.re.mbx.stig-info@mail.mil Please Note: It is critical that each comment matrix is returned in a separate email with the subject line stating “[Your organization] Comments for [document title]” so we can distribute the comment matrices to the appropriate team for each document and easily identify the source.  

Defense Information System Agency has developed the Draft for Voice Video Session Management Security Requirement Guidance Version 1.   The Draft SRG is available at http://iase.disa.mil/stigs/net_perimeter/telecommunications/Pages/voip.aspx for review and comment. Please provide comments, recommended changes, and/or additions to the draft SRG by 12 August 2015 on the Comment Matrix spreadsheet located at http://iase.disa.mil/stigs/net_perimeter/telecommunications/Pages/voip.aspx. Comments should be sent via NIPRNet email to:  disa.stig_spt@mail.mil. Include the title and version of the SRG in the subject line of your email.