Author name: Bruce

SRG/STIG Applicability Guide and Collection Tool Update DISA has released an update to the Security Requirements Guide (SRG) and Security Technical Implementation Guide (STIG) Applicability Guide and Applicable SRG/STIG Collection Tool. The purpose of the SRG/STIG Applicability Guide and Collection Tool is to assist the SRG/STIG user community in determining what SRGs and/or STIGs apply to a particular situation or Information System (IS) and to create a fully formatted document containing a “Collection” of SRGs and STIGs applicable to the situation being addressed. The SRG/STIG Applicability Guide and Collection Tool is available for download from the Information Assurance Support Environment (IASE) web site at: http://iase.disa.mil/stigs/agct/Pages/index.aspx

DISA has developed the Draft DoD Internet-NIPRNet DMZ STIG Version 3. The draft STIG and spreadsheet are available at: http://iase.disa.mil/stigs/net_perimeter/enclave-dmzs/Pages/dmz-imp.aspx Please provide comments, recommended changes, and/or additions to the draft STIG by 20 March 2015 on the Comment Matrix spreadsheet. Comments should be sent via NIPRNet email to:  disa.stig_spt@mail.mil. Include the title and version of the STIG in the subject line of your email.  

DISA has released the Apple OS X 10.9 (Mavericks) Workstation STIG Version 1.   The requirements of the STIG become effective immediately. The STIG is available on IASE at http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx. DoD Instruction 8500.01 tasks DISA “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders” and DoD Component heads “ensure that all DoD IT under their purview complies with applicable STIGs, security configuration guides, and SRGs.” DISA considered all the applicable technical NIST SP 800-53 requirements while developing this STIG. Requirements which are applicable and configurable are included in the final STIG. DoD information systems require password complexity and account management for authentication and confidentiality.   Apple OS X 10.9 natively does not provide these capabilities. In order for systems to meet these requirements, they must be connected to an Active Directory infrastructure or similar LDAP solution. A report marked For Official Use Only (FOUO) is available for further items that did not meet requirements. The compliance report is available to component Authorizing Official (AO) personnel for use in their certification and risk assessment. AO requests for the compliance report may be sent via email to disa.stig_spt@mail.mil. In accordance with DoD Instruction 8500.01, the Apple OS X 10.9 (Mavericks) Workstation STIG Version 1 is released for immediate use. The document is available on http://iase.disa.mil.

Video of RMF for DoD IT Cybersecurity and Risk Management Framework Implementation This video is publicly available on http://iase.disa.mil/ The Cybersecurity and Risk Management Framework Implementation video is a summary of DoD Risk Management Framework Process.  It is pretty dry but hits most of the main points of DoD 8510.01

In typical government fashion, an important change was mentioned years ago and nothing has come of it.  DoD 8570 was supposed to be replaced by DoDD 8140 but it still has not been done yet.  The USAF just released Air Force Manual 33-285, CyberSecurity Workforce Improvement Program, 20 March 2015 and it is based on 8570 and not DoDD 8140.  Why?  Because 8140 does not exist.  Is it in draft?  Is it ever going to exist?  Someone out there knows. If it is not going to be created, then why are so many official sites, documents and policies in the government still mentioning it? “The DoDD 8140 (DoDD 8570.1 replacement) is in staffing (administrative and format correction by the DoD then legal review then for signature by the SecDef or DepSecDef. Tentative completion and release date 1st Qtr. FY 15 . The workforce manuals will stem from the signed DoDD 8140” – US Army CIO/G6 Cyber Security Directorate “DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. – Will be replaced by DoD Directive 8140, Cyberspace Workforce Management in 2-4 months.” – IA Workforce Improvement Program Update (USAF) med.navy.mil “Ensuring initial IA orientation and annual awareness training are available to all authorized users to ensure they know, understand, and can apply the IA requirements of their system(s) in accordance with reference (d) and will eventually be updated with the publishing of the Department of Defense Directive (DoDD) 8140 in May 2014.” – US Marine Corps Enterprise Cyber Security Directive – CyberSecurity Workforce Improvement Program “Lack of Standard DoD CS/ITWF-Related Procedures. DON CIO personnel informed us that the Navy did not comprehensively define the overall CS/ITWF or develop a CS/ITWF personnel database because they were waiting for DoD to issue its guidance. We were told that DoD was drafting Directive 8140.aa, “Cyberspace Workforce Management,” reissuing and renumbering DoD Directive 8570.01, “Information Assurance Training, Certification, and Workforce Management,” updating and expanding policies, and assigning responsibilities for managing the DoD workforce performing cyberspace functions” - Cyberspace/Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands, 19 May 2014

Information Technology (IT) jobs in the USA are very hot!  As more and more business’ in developed countries go online, more and more jobs for IT become available.  According to Wanted Analytics, China currently has the greatest demand for software engineers with the USA in second.  The key to getting an IT job in America is specialization.  Companies are looking for a specific skillset.  According to an article on Fortune magazine, 3 of the top 10 career fields with the most job openings of 2014 were specialized IT jobs. IT is very competitive but once you specialize in a certain aspect of IT (i.e. IT security engineer, IT network engineer, software engineer) your competition gets smaller.  Remaining competitive means gaining experience, IT certifications and degrees.   As the market for IT people has gotten more complex it has also become important to be diversified in your skills.  If you are a software engineer it really helps to know other things like networking, security and maybe even program management. Probably the most important thing to do if you are going for a job in Information Technology is to study the company or organization that you are going after.   Often times employers are looking for something every specific.  You may have the experience they are looking for so you should put that on your resume and make sure it is mentioned during the interview.  You find that you are just shy of what they are looking for then you should learn what you can before you  approaching them. In the DoD, every IT professional is expected to have solid security experience or security certification even if they are not an expert in it. IT is a huge growing market.

The Risk Management Framework (RMF) Knowledge Service is DoD CIO’s authoritative source for implementing the RMF and DIACAP: https://rmfks.osd.mil/ *not a public site* DoD RMF Documentation: The DoD RMF is based on DoDI 8500.01, Cybersecurity and DoDI 8500.01, Risk Management Framework (http://iase.disa.mil/rmf/Pages/guidance.aspx). DoDI 8500.01 – Cybersecurity This DoD Instruction replaces the previous Information Assurance (IA) guidance under DoDD 8500.01, November 21, 2003. DoDI 8510.01 – Risk Management Framework (RMF) for DoD Information Technology (IT) This DoD Instruction replaces the previous DIACAP guidance under DoDI 8510.01, November 28, 2007.   These policies refer to the NIST 800 series.  Specifically, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and NIST SP 800-53 rev 4, Security and Privacy Controls for Federal. CNSS RMF Guidance: CNSSI No. 1253 for CNSS Home page and select “Instructions” from Library drop down. Security Categorization and Control Selection for National Security Systems – This document replaces previous version dated 3 March 2012. Overlays are now Appendix F vice K.

The Federal Information Security Modernization Action of 2014: provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; provide for development and maintenance of minimum controls required to protect Federal information and information systems; provide a mechanism for improved oversight of Federal agency information security programs, including through automated security tools to continuously diagnose and improve security; acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; and recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products. More here: https://www.congress.gov/bill/113th-congress/senate-bill/2521/text

Who has the authority to appoint an Information Assurance Manager (IAM)/Information Security Security Manager? An IAM (Information Assurance Manager) is now called an Information System Security Manager (ISSM).  The program manager, system manager or component commanders appoints the Information security security manager in writing. According to DoD 8510.01, Risk Management Framework it is the Program Manager/System Manager who appoints the ISSM for each assigned Information System or PIT system with the support, authority, and resources to satisfy the responsibilities established in this instruction. In the Department of Navy, Information System Security Manager is appointed by Program Executive Offices, Systems Commands – According to SECNAV, 5239.2 The Army currently uses AR 25-2, Information Assurance (being replaced).  The Information Assurance Program Manager (IAPM) appoints the IAM 3-2. IAM. Appoint IAMs at all appropriate levels of command. This includes subordinate commands, posts, installations, and tactical units. Appoint an IAM as needed for those Army activities responsible for project development, deployment, and management of command-acquired software, operating systems, and networks. A contractor will not fill the MSC, installation, or post IAM positions and the person filling the position will be a U.S. citizen.