Author name: Bruce

Defense Information System Agency has released a draft for Palo Alto Networks Security Technical Implementation Guide Version 1. The Draft STIG is available at http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/firewa ll.aspx for review and comment. Please provide comments, recommended changes, and/or additions to the draft STIG by 12 August 2015 on the Comment Matrix spreadsheet located at http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/firewa ll.aspx.  Comments should be sent via NIPRNet email to: disa.stig_spt@mail.mil.  Include the title and version of the STIG in the subject line of your email.

Defense Information Security Agency (DISA) released a Draft of Layer 2 Switch Security Requirements Guide (SRG) Version 1. The Draft SRG is available at http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/router s-switches.aspx for review and comment. Please provide comments, recommended changes, and/or additions to the draft SRG by 12 August 2015 on the Comment Matrix spreadsheet located at http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/router s-switches.aspx Comments should be sent via NIPRNet email to: disa.stig_spt@mail.mil. Include the title and version of the SRG in the subject line of your email.

DISA has developed the following DRAFT documents related to Cloud Computing Security and the use/integration of Cloud Computing in DoD which are available for community review and feedback/comments: . Draft Cloud Computing Security Requirements Guide (SRG), Version 1 Release 2 . Draft Cloud Access Point (CAP) Functional Requirements Document (FRD) V2.2 . Draft Concept of Operations (CONOPS) for Cloud Computer Network Defense (CND) v1 The Draft documents and a Comment Matrix for each (in a .zip file) are available at: http://iase.disa.mil/cloud_security/Pages/index.aspx. Please provide comments by [DATE TBD 3 WEEKS after posting] on the Comment Matrix associated with each document via one unclassified email for each comment matrix to: disa.letterkenny.re.mbx.stig-info@mail.mil Please Note: It is critical that each comment matrix is returned in a separate email with the subject line stating “[Your organization] Comments for [document title]” so we can distribute the comment matrices to the appropriate team for each document and easily identify the source.

Defense Information Security Agency has released Google Search Appliance Security Technical Implementation Guide Version 1.   The requirements of the STIG become effective immediately. The STIG is available on IASE at: http://iase.disa.mil/stigs/app-security/Google-Search/Pages/index.aspx    

Defense Information System Agency (DISA) has released Arista Multilayer Switch (MLS) DCS-7000 Series Security Technical Implementation Guide Version 1. http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/routers-switches.aspx  

DISA has released the following updated Security Guidance, Security Readiness Review Scripts and Benchmarks: Unclassified SRGs:  http://iase.disa.mil/stigs/srgs/Pages/index.aspx Unclassified Application STIGs: http://iase.disa.mil/stigs/app-security/Pages/index.aspx Apache 2.0 UNIX STIG Ver 1, Rel 4 Apache 2.0 Windows STIG Ver 1, Rel 4 Apache 2.2 UNIX STIG Ver 1, Rel 7 Apache 2.2 Windows STIG Ver 1, Rel 7 Email Services Policy STIG Ver 2, Rel 5 Excel 2013 STIG Ver 1, Rel 4 Exchange 2010 Overview Ver 1, Rel 5 Exchange 2010 Client Access STIG Ver 1, Rel 7 Exchange 2010 Edge STG Ver 1, Rel 9 Exchange 2010 Hub STIG Ver 1, Rel 9 Exchange 2010 Mailbox STIG Ver 1, Rel 6 IIS 7.0 STIG Ver 1, Rel 8 InfoPath 2013 STIG Ver 1, Rel 3 Internet Explorer 7 STIG Ver 1 Rel 19 Internet Explorer 8 STIG Ver 1 Rel 19 Internet Explorer 9 STIG Ver 1 Rel 14 Internet Explorer 10 STIG Ver 4 Rel 10 Internet Explorer 11 STIG Ver 1 Rel 6 McAfee Virus Scan 8.8 Overview Ver 5, Rel 7 McAfee Virus Scan 8.8 Local Client STIG Ver 5, Rel 6 McAfee Virus Scan 8.8 Managed Client STIG Ver 5, Rel 7 Mozilla Firefox STIG Ver 4, Rel 12 Office 2007 Overview Ver 4, Rel 14 Office 2010 Overview Ver 4, Rel 14 Office 2013 Overview Ver 1, Rel 5 Office System 2010 STIG Ver 1, Rel 9 Office System 2013 STIG Ver 1, Rel 3 Oracle 11.2g Database STIG Ver 1, Rel 4 Oracle 11g Database STIG Ver 8, Rel 1.14 Outlook 2007 STIG Ver 4, Rel 14 Outlook 2013 STIG Ver 1, Rel 4 Office System 2010 STIG Ver 1, Rel 9 Publisher 2010 STIG Ver 1, Rel 9 Publisher 2013 STIG Ver 1, Rel 3 SQL Server 2012 STIG Ver 1 Rel 7 Symantec Endpoint Protection 12.1 Local Client STIG Ver 1, Rel 3 Symantec Endpoint Protection 12.1 Managed Client STIG Ver 1, Rel 4 Symantec Endpoint Protection 12.1 Overview Ver 1, Rel 1

App now available on the app store We are working on an app that will allow quick navigation of the National Cybersecurity Workforce Framework version 2.  It will be pretty simple for now. Version 1.x features Will Include: All Categories mapped to Special Areas All KSA All TSA In future versions we will include certifications that apply to each Special Area.  I am waiting for DoDD 8140 because I think it will match up with National Cybersecurity Workforce Framework version 2.

DISA has released the following updated Security Guidance, Security Readiness Review Scripts and Benchmarks: Unclassified Application STIGs/SRGs:  http://iase.disa.mil/stigs/app-security/Pages/index.aspx Email Services Policy STIG Ver 2, Rel 5 Exchange 2010 Client Access STIG Ver 1, Rel 7 Exchange 2010 Edge STG Ver 1, Rel 8 Exchange 2010 Hub STIG Ver 1, Rel 8 Exchange 2010 Mailbox STIG Ver 1, Rel 6 Internet Explorer 7 STIG Ver 1 Rel 18 Internet Explorer 8 STIG Ver 1 Rel 18 Internet Explorer 9 STIG Ver 1 Rel 13 Internet Explorer 10 STIG Ver 4 Rel 9 Internet Explorer 11 STIG Ver 1 Rel 5 McAfee Virus Scan 8.8  Local STIG Ver 5, Rel 5 McAfee Virus Scan 8.8 Managed Client STIG Ver 5, Rel 6 McAfee Virus Scan 8.8 Overview Ver 5, Rel 6 Mozilla Firefox STIG Ver 4, Rel 11 Oracle 11.2g Database STIG Ver 1, Rel 3 Oracle 11g Database STIG Ver 8, Rel 1.13 Outlook 2013 STIG Ver 1, Rel 3 PowerPoint 2007 STIG Ver 4, Rel 13 SQL Server 2012 STIG Ver 1 Rel 6 Sun Ray 4 STIG Ver 1, Rel 2 Unclassified Network STIGs:  http://iase.disa.mil/stigs/net_perimeter/Pages/index.aspx Apple OS X 10.8 STIG Ver 1, Rel 2 BlackBerry 10.2x OS STIG Ver 1, Rel 5 BlackBerry Enterprise Service 10.2.x BlackBerry Device Service STIG Ver 1, Rel 4 MultiFunction Device and Network Printers STIG Ver 2, Rel 5 Network Perimeter Router L3 Switch Ver 8, Rel 19 Removable Storage and External Connections STIG Ver 1, Rel 3 Samsung Android (with Knox 2.x) STIG Ver 1, Rel 2 Video Tele-Conference Services Policy STIG Ver 1, Rel 6 Unclassified Operating System STIGs: http://iase.disa.mil/stigs/os/Pages/index.aspx Apple OS X 10.8 STIG Ver 1, Rel 2 ESXi 5 Server STIG Ver 1, Rel 7 ESXi5 Virtual Machine STIG Ver 1, Rel 4 HP UX 11.23 Manual STIG Ver 1, Rel 5 HP UX 11.31 Manual STIG Ver 1, Rel 6 Oracle Linux 5 Manual STIG Ver 1, Rel 2 Oracle Linux 6 Manual STIG Ver 1, Rel 2 Red Hat 5 Manual STIG Ver 1 Rel 10 Red Hat 6 STIG Ver 1 Rel 7 Solaris 9 SPARC Manual STIG Ver 1 Rel 8 Solaris 9 x86 Manual STIG Ver 1 Rel 8 Solaris 10 x86 Manual STIG Ver 1 Rel 10 Solaris 10 SPARC Manual STIG Ver 1 Rel 10 Solaris 11 SPARC Manual STIG Ver 1, Rel 3 Solaris 11 x86 Manual STIG Ver 1, Rel 3 SUSE Linux Enterprise Server (SLES) v11 for System z STIG Ver 1 Rel 5 Windows Operating Systems Overview Ver 1, Rel 2 Windows 2003 DC STIG Ver 6, Rel 36 Windows 2003 MS STIG Ver 6, Rel 36 Windows 2008 DC STIG Ver 6, Rel 29 Windows 2008 MS STIG Ver 6, Rel 29 Windows 2008 R2 DC STIG Ver 1, Rel 15 Windows 2008 R2 MS STIG Ver 1, Rel 15 Windows Firewall and Advanced Security STIG  Ver 1, Rel 2 Windows Vista STIG Ver 6, Rel 36 Windows 7 STIG Ver 1, Rel 19 Windows 8/8.1 STIG Ver 1, Rel 9 zOS ACF2 STIG Ver 6, Rel 23 zOS RACF STIG Ver 6, Rel 23 zOS TSS STIG Ver 6, Rel 23 For Your Situational Awareness: The Severity Level for the EMET Install requirement (V-39137), which is in the Windows STIGs, was increased from  a CAT II to a CAT I per USCYBERCOM Task Order. EMET is a free tool from Microsoft, which allows the configuration of several security mechanisms at the system level and for applications, providing additional levels of protection. FOUO HBSS: http://iase.disa.mil/stigs/hbss/Pages/index.aspx NOTE: DoD PKI Certificate Required HBSS Overview Ver 4, Rel 16 HBSS Agent Handler STIG Ver 1, Rel 4 HBSS Asset Baseline Monitor STIG Ver 4, Rel 7 HBSS ePO 4.5 Rollup STIG Ver 4, Rel 10 HBSS ePO 4.5 Site STIG Ver 4, Rel 12 HBSS ePO 4.6 STIG Ver 4, Rel 13 HBSS ePO 5.1 STIG Ver 1, Rel 4 HBSS HIP 8 STIG Ver 4, Rel 11 HBSS HIP STIG Ver 4, Rel 8 HBSS McAfee Agent STIG Ver 4, Rel 9 HBSS Policy Auditor STIG Ver 4, Rel 7 HBSS Rogue Sensor STIG Ver 4, Rel 8 Benchmarks: http://iase.disa.mil/stigs/scap/Pages/index.aspx HP-UX 11.23 STIG Benchmark Ver 1 Rel 6 HP-UX 11.31 STIG Benchmark Ver 1 Rel 7 Red Hat 5 STIG Benchmark Ver 1 Rel 11 Red Hat 6 STIG Benchmark Ver 1 Rel 7 Solaris 9 SPARC STIG Benchmark Ver 1 Rel 10 Solaris 10 SPARC STIG Benchmark Ver 1 Rel 10 Solaris 10 x86 STIG Benchmark Ver 1 Rel 10 Windows 2003 DC STIG Benchmark Ver 6 Rel 1.39 Windows 2003 MS STIG Benchmark Ver 6 Rel 1.39 Windows 2008 DC STIG Benchmark Ver 6 Rel 1.31 Windows 2008 MS STIG Benchmark Ver 6 Rel 1.31 Windows 2008 R2 DC STIG Benchmark Ver 1 Rel 17 Windows 2008 R2 MS STIG Benchmark Ver 1 Rel 17 Windows 7 STIG Benchmark Ver 1 Rel 25 Windows 8/8.1 STIG Benchmark Ver 1 Rel 10 Windows Firewall STIG Benchmark Ver 1 Rel 2 Windows Vista STIG Benchmark Ver 6 Rel 1.39 STIGs no longer supported:  http://iase.disa.mil/stigs/sunset/Pages/index.aspx SQL Server 2005 Database STIG Ver 8, Rel 1.8

DoD Instruction 8500.01 tasks DISA “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders” and DoD Component heads “ensure that all DoD IT under their purview complies with applicable STIGs, security configuration guides, and SRGs.” In accordance with DoD Instruction 8500.01, the JIE Network Device STIGs are released for immediate use. These STIGs are available on http://iase.disa.mil.

DoD is using National Initiative for Cyberspace Education (NICE) to point their cyber security professionals in the right direction for training resources.  I wonder if this might hint at a DoDD 8140, Cyberwork force being inline with National Initiative for Cyberspace Education (NICE) National Cybersecurity Workforce Framework. DISA has gathered inputs from USCYBERCOM, National Initiative for Cyberspace Education (NICE) and other partners to provide a catalog of training resources that are categorized by Cybersecurity work roles. The identified training resources will help DoD employees fulfill their knowledge or skill gaps and move from entry to advanced levels of proficiency in their assigned work roles. To learn more, and to view the training resources, please visit the Cybersecurity Role-Based Training Portal. https://disa.deps.mil/ext/cop/iase/specialty_courses/ (DoD PKI Cert Required)