I was looking at the NIST 800-171 profile for Controlled Unclassified Information (CUI) and it looks like all it does is derive from the OSPP profile. While I'm sure this profile covers at least what's needed for CUI, inheriting the whole OSPP profile seems like *way* overkill and the OSPP profile itself describes NIST 800-171 as a subset. Should the nist-800-171 profile have more rules disabled or is it really that close of an overlap that the only difference is the inactivity timeout?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
Ping?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
On Tue, Aug 22, 2017 at 5:01 PM, Chuck Atkins chuck.atkins@kitware.com wrote:
I was looking at the NIST 800-171 profile for Controlled Unclassified Information (CUI) and it looks like all it does is derive from the OSPP profile. While I'm sure this profile covers at least what's needed for CUI, inheriting the whole OSPP profile seems like *way* overkill and the OSPP profile itself describes NIST 800-171 as a subset. Should the nist-800-171 profile have more rules disabled or is it really that close of an overlap that the only difference is the inactivity timeout?
Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
Hi Chuck Atkins, I'm investigating this right now and I expect to give you a response by today.
Thanks
----- Original Message ----- From: "Chuck Atkins" chuck.atkins@kitware.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, August 28, 2017 3:50:53 PM Subject: Re: CUI profile for EL7
Ping?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
On Tue, Aug 22, 2017 at 5:01 PM, Chuck Atkins < chuck.atkins@kitware.com > wrote:
I was looking at the NIST 800-171 profile for Controlled Unclassified Information (CUI) and it looks like all it does is derive from the OSPP profile. While I'm sure this profile covers at least what's needed for CUI, inheriting the whole OSPP profile seems like *way* overkill and the OSPP profile itself describes NIST 800-171 as a subset. Should the nist-800-171 profile have more rules disabled or is it really that close of an overlap that the only difference is the inactivity timeout?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Hi Chuck Atkins,
Based on what I've found, it seems NIST 800-171 extending the whole OSPP really seems to be overkill, and was probably a workaround, or at least the fastest way to implement it at the time. However, I think the best people to confirm that are Shawn or Gabriel, both copied in this email.
So, lets see what they can tell about it.
By the way, it's nice to know to someone from kitware, I really appreciate the software you build there, not only the CMake but Paraview helped me a lot!
Regards
----- Original Message ----- From: "Wesley Ceraso Prudencio" wcerasop@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, August 28, 2017 4:00:37 PM Subject: Re: CUI profile for EL7
Hi Chuck Atkins, I'm investigating this right now and I expect to give you a response by today.
Thanks
----- Original Message ----- From: "Chuck Atkins" chuck.atkins@kitware.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, August 28, 2017 3:50:53 PM Subject: Re: CUI profile for EL7
Ping?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
On Tue, Aug 22, 2017 at 5:01 PM, Chuck Atkins < chuck.atkins@kitware.com > wrote:
I was looking at the NIST 800-171 profile for Controlled Unclassified Information (CUI) and it looks like all it does is derive from the OSPP profile. While I'm sure this profile covers at least what's needed for CUI, inheriting the whole OSPP profile seems like *way* overkill and the OSPP profile itself describes NIST 800-171 as a subset. Should the nist-800-171 profile have more rules disabled or is it really that close of an overlap that the only difference is the inactivity timeout?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 8/28/17 11:49 AM, Wesley Ceraso Prudencio wrote:
Hi Chuck Atkins,
Based on what I've found, it seems NIST 800-171 extending the whole OSPP really seems to be overkill, and was probably a workaround, or at least the fastest way to implement it at the time. However, I think the best people to confirm that are Shawn or Gabriel, both copied in this email.
So, lets see what they can tell about it.
By the way, it's nice to know to someone from kitware, I really appreciate the software you build there, not only the CMake but Paraview helped me a lot!
At an information system level there's no argument the various RMF processes and controls differ -- FISMA Low is much different than FISMA High.
At the Linux component level it's all pretty much the same. Originally created a massive spreadsheet to track the control selections between things like FISMA low/med/high, CUI, STIGs.... they all overlapped. And where the didn't the differences were minor and mostly related to variable refinements (e.g. password lengths).
Rules selected in the CUI profile (or inherited from OSPP) should be all marked with a CUI tag that identifies the mapping back to NIST 800-171. We can absolutely adjust the rule selections between the profiles if something is seen as overkill.... but need to understand what exactly is.
scap-security-guide@lists.fedorahosted.org