What do you use to implement security controls?
First of all, implementation of security controls means to put security on your server, workstations or other information systems. The best guidance is where ever you can get it from. Your organization may provide resources to you. This could be process and procedures. You can also use security implementation guides https://public.cyber.mil/stigs/
But probably the best and most comprehensive source of implementation guidance is from the vendor of the system or OS you are using. For Cisco router security implementation they have guidance on Cisco.com (for example). Cisco probably won’t call them “security controls” but if you know you need to update the IOS, you would search their site for how to update the IOS and what is the most current IOS for your internetwork device.
rmf implementation
Best Practices Guide for Department of Defense Cloud Mission Owners
DISA has released “Best Practices Guide for Department of Defense Cloud
Mission Owners” which is available at
http://iase.disa.mil/cloud_
This site provides a knowledge base for cloud computing security processes and cloud service provider (CSP) security requirements.
DISA has developed the following DRAFT documents related to Cloud Computing Security and the use/integration of Cloud Computing in DoD which are available for community review and feedback/comments:
• Draft Cloud Computing Security Requirements Guide (SRG), Version 1 Release 2
• Draft Cloud Access Point (CAP) Functional Requirements Document (FRD) V2.2
• Draft Concept of Operations (CONOPS) for Cloud Computer Network Defense (CND) v1
The Draft documents and a Comment Matrix for each (in a .zip file) are available below.
Please provide comments by COB 22 August 2015 on the Comment Matrix associated with each document via one unclassified email for each comment matrix to:
disa.letterkenny.re.mbx.stig-info@mail.mil
Please Note: It is critical that each comment matrix is returned in a separate email with the subject line stating “[Your organization] Comments for [document title]” so we can distribute the comment matrices to the appropriate team for each document and easily identify the source.
SCAP Compliance Checker SCC)
SCAP Compliance Checker SCC Tool 3.1.2
SPAWAR Systems Center Atlantic has released an updated version to the SCAP Compliance Checker SCC Tool. The updated features include recent DISA STIG content for both Windows and Red Hat systems and NIST USGCB patch content. In addition, several defects have been resolved in the 3.1.2 release.
SCAP Content
+ AIX
+ Dot Net Framework
+ Google Chrome
+ HP-UX
+ Internet Explorer Benchmarks
+ Red Hat
+ Solaris
+ Windows 8 Benchmarks
+ Windows 2008 R2 Benchmarks
+ Windows 2008 Benchmarks
+ Windows 2003 Benchmarks
+ Windows 7 Benchmarks
+ XP Benchmarks
+ Vista Benchmarks
+ Audit
+ SCAP Tools
The SCAP Tools are located at http://iase.disa.mil/stigs/
Security Content Automation Protocol (SCAP) Windows Benchmarks
DISA Field Security Operations (FSO) is releasing updated automated compliance benchmarks for Windows Operating Systems outside of the normal quarterly release schedule. The latest benchmarks will correct a problem with importing the content into the HBSS Policy Auditor tool. The Benchmarks are located at http://iase.disa.mil/stigs/
More on the feature of SPAWAR SCAP Compliance Checker SCC Tool:
Primary Features:
- No per seat license costs for Federal government/contractor computers
- Performs compliance scanning using SCAP content
- Performs vulnerability scanning using OVAL content
- Performs manual interview checks using OCIL content
- Creates XCCDF XML results
- Creates OVAL XML results
- Creates ARF XML results
- Creates Cyberscope Autofeed XML results
- Creates HTML and text based single computer reports
- Creates HTML and spreadsheet based multi-computer summary reports
- Allows for installation of custom SCAP and OVAL content
- Allows for automatic downloading of updated patch content from Internet/Intranet
- Allows for organizational deviations
- Allows for organizationally defined compliance thresholds
- Has graphical and command line interfaces
- Native executables per platform (no runtime requirements such as Java