old.reddit.com /r/NISTControls/.rss
NIST Controls Discussion, Resource Sharing, News, Recommendations for Solutions
Atom Feed
Back to top.
Recently Seen Items
Compact view
Reading view
Hello, I hope this makes sense as I have been thrown in the deep end here.
A coworker asked me to help find information what a VA hospital is asking. We need the fips certificate 4 digit code for a risk assessment. Our product is a dental 3d digital scanner on wheels which is a pc with a fancy camera with wifi. They use a intel ax210 wifi 6e care and onboard intel as well. For fips info do we just need the OS info which will be 10 and soon to be 11, or just the wifi card or both? I found a few resources that seem to point to just the OS would enable fips and the card can handle it. Just confused as to what exactly to tell the VA IT person.
[link] [comments]
Normally one can use STIG Viewer 3 to convert .cklb files to .ckl files, but if one cannot use STIG Viewer 3 (long story), is there another app/method to convert .cklb files to .ckl files? Thanks..
[link] [comments]
We are currently using Connectwise Screenconnect for our customers that are NIST and soon to be CMMC audited. Based on what I read with MSPs, MSPs will also need to be audited if they connect into NIST / CMMC based systems. Are there any specific configurations that must be met for this to work? For example do I need to disable File Transfer within Screenconnect to prevent exfiltration of sensitive data? Do I need to disable Copy/Paste Clipboard? Just looking at what configurations we will need to be compliant.
[link] [comments]
Hello everyone,
In the context of NIST 800 - 53, I keep stumbling across the terms security function and security information, which requires special protection.
However, I can't really make much sense of the terms and the NIST glossary isn't really informative either.
Could you perhaps explain a definition to me using concrete examples?
Thanks!
[link] [comments]
It seems simple enough on its face, but I have been unable to find any scanning software that can detect counterfeit devices.
Does anyone here have any recommendations for products that can actually scan for counterfeit system components, or should I chalk this up to a manual process as part of SCRM and stop trying to find a technical solution?
[link] [comments]
Does putting all our windows computers in fips mode help enforce those cuis are compliant for nist 800-171r3 control 3.13.8 and 3.13.11
[link] [comments]
Did anyone validate of this is possible before writing it?
The first layer of networking is access layer what the computer connects to which if this is possible needs to be able to encrypt transmission.
Problem is both any switch like Cisco switches when you put it in fips-validated mode does not encrypt the control plane. It encrypts the the management interface and ssh to configure the device at fips level ssh encryption.
Same for wifi access points the data plane in fips mode is not encrypted. Only capwap packets and the authentication to get on is encrypted at fips levels.
Also any sort of sslvpn solution like global protect, anyconnect and zscaler is fips-cc not fips validated.
Fips validated seems required in control 3.13.11.
Did any network engineer in the DOD validate their expected architecture exists in the public world?
If the DOD thinks by putting their Cisco switches and APs in fips mode is securing their data plane they are shit out of luck.
Please explain to me how to be compliant with this control?
[link] [comments]
I’ll try and make it short.
My primary role is engineering but Im also the one the handles all the computer systems and networking.
We went through the whole 800-171 thing a few years ago and it literally just ran on the honor system. I know, I sat through a whole 4 hour presentation right along side people from Lockheed, Grumman, L3, and all the other big players.
So I went through the entire 800-171 handbook line by line and implemented everything I knew I could resonably handle on my own.
I also contracted a local IT firm who did not specifically deal with 800-171, but because of their experience in numerous other high security environments and our tightness on funds at the time they were willing to help us out.
They set us up with an on-prem Active Directory server and setup all the group policies for our network folders exactly how we wanted and even gave me some quick training on how to edit the policies and add/remove users and new systems, etc.
So while we should still be fine, our largest customer is wanting our systems to be “verified” preferably by a 3rd party. While I’m fairly confident in what we have, Im unwilling to put my name on something I’m not actually trained in, and with no input from someone who is. especially when it comes to govt work.
But the big problem comes into play when every single company we have contacted that does this just wants to shove everything into Office365 and Azure and call it a day…
Not only do we not want to operate “in the cloud” but as soon as we mention that some of the stuff is ITAR controlled they tell us that part can just stay on our current server…which then begs the question that if our current servers are good enough for the ITAR stuff, then why move any of it?
This whole situation is driving me nuts and I now have less than a month to figure it out or we’re going to begrudgingly pay some company almost $4k to move our stuff into the cloud, and fill out some paperwork for us
Full disclosure it’s a family owned business and I am the son of the owner and have been with the company for nearly 20years. So we’re not some big corporate entity and I’m not being pressured into cutting corners or anything like that. None of us want to use cloud services especially me, and my dad.
[link] [comments]
I've been trying to figure this out, have a company, and need to travel to Europe for a few months. Can we remote VPN temporarily for a few months while traveling in Europe from a VPN. We already use Azure GCC high and have end to end encryption. Some users would have to remote into a VM from Europe. I saw the regulations from the DTCC, and 125.4 says it's allowed. All employees are based in the US. There has been a lot of movement on remote work since covid that there seems to be some Grey area concerning this. Any help is appreciated.
A person who is traveling or on temporary assignment abroad may access data using "Sufficient security precautions" under the 125.4(b)(9) exemption.
Does this apply only to government agencies or also businesses. The regulation does not specify only for government agencies but in general.
[link] [comments]
Currently attempting to run some test scans with it on a workstation with both IIS 10.0 & MS SQL 2016, and I'm failing to receive reports for IIS Sites and SQL DBs.
Anything I could be missing hear as far as configuration? The scans are run locally on the machine.
[link] [comments]
Does anyone have experience using LucidLink with CUI? I want to use it as an alternative to a NAS (we are fully remote).
LucidLink is a bit of a different concept, where they only store metadata, and they use third party cloud storage services for the actual data. We have users with large files that do not benefit from collaboration or any value added features you get from SharePoint, Box, Egnyte, etc. I have LucidLink set up to store data on AWS GovCloud S3, and have the S3 bucket set up in a way that will result in the storage cost being less than 10% SharePoint.
LucidLink itself wouldn't be compliant with DFARS 252.204 as a CSP, but the CUI would never actually touch their services so they should technically be out of scope. Does that sound right?
There are also no logs - LucidLink's philosphy is "zero-knowledge". But looking at 3.3.1, it doesn't seem like it's actually required that logs are generated for events at the individual file level. I'd be able to see them authenticate with the service on their device via SSO, and I can generate logs via the file system/sensitivity labels/DLP. It's not possible to access the storage via a browser.
We also don't have direct access to the encryption keys, but no third parties do either. The keys are exclusively located on the client devices and chained based on the root password+user SSO info.
Does it seem like a viable service?
[link] [comments]
Hi Hivemind - looking for a NIST 800-171 list of controls spreadsheet. Can anyone point me in the direction?
[link] [comments]
Hi all,
Any thoughts on apps to handle the paperwork associated with NIST SP 800-171 and NIST SP 800-53 r5 compliance (which right now is all handled in word and excel?
What I'm looking for is:
- Need to Have
- End Results - generate SSP toward both standards (and possibly include SOC1 or SOC2)
- Generate and manage POAM
- Centrally manage policies/procedures
- Would like to have
- Manage workflows/todo lists (i.e, roles need to be reviewed on an annual basis)
- Upload and manage artifacts (the documentation of the role review noted above).
Those are the core tasks as we're looking to update to the latest revisions (again).
Thanks!
[link] [comments]
We are looking at moving to a zero trust setup. Would this be seen as a split tunnel connection? I would think if the US Gov is mandating zero trust, it would be approved.
[link] [comments]
Hello everyone! Looking to see if there is a minimum baseline for DOD Sipr networks. Not sure if there is a set standard referenced somewhere or if the impact score assignment is based solely on information types still. I know that there is an overlay but wasn’t sure if it just added controls or changed the impact values by default. Thank you everyone in advance!
[link] [comments]
Hello everyone,
I am working in Germany on the implementation of NIST SP 800-53.
If I understand it correctly, control PL02 requires that a system security plan is available for each IT system.
I have never encountered a system security plan from my experience in Germany.
Is there a list of examples of known IT systems that I could use as a guide when creating the system security plans?
In other words, i am looking for a template or some guidance for a system security plan?
Help would be appreciated!
[link] [comments]
Hi,
Dell will happy sell me FIPS-140 validated drives for my servers at 10x the retail price of non-validated enterprise class drives. I"d rather buy the validated drives direct.
over the years i have managed to get my reseller (CDW-G) to get FIPS validated drives from Seagate and/or WD. It has always been a PITA, and lately he's slower to respond.
Anyone have a reliable source to recommend?
My needs are pretty modest - right now I need maybe 15 drives. 10 of them are just whatever cheapo boot drive someone has, 2.5" SAS or SATA. For the others, need moderate performance SSD, 1dwpd fine, but enterprise class. Again, SAS/SATA.
if anyone has another good subreddit to recommend for this, I've love to hear that too. Thanks.
[link] [comments]
Hello everyone,
I need help with the Control AC - 10 of the NIST Sp 800 -53!
Can someone explain to me with a practical example what the control intends?
As I understand it, the intention of the control is that admins in particular are only allowed to establish a limited number of sessions for example with an application?
In other words, an admin may only have a few simultaneous sessions in an ERP system?
Is this realistic in your experience? I have discussed this control with my admins and I encountered very fierce resistance...
Thank you very much!
[link] [comments]
I've been trying to find the best way to aggregate stig checklists in a domain. For a second Vulnerator looked promising... until I saw the github repo was abandoned and they lost their CON back in 2021-22. It's actually a little depressing seeing the bug requests for the last 3 years with no response from the devteam.
Stig manager isn't an option due to the PKI requirements, and to be honest, seems like its over engineered for what we'd use it for. Emasster isn't an option because we're private sector- last I heard it was only open to DOD personnel. Please correct me if that's wrong- I'd love to demo it if possible.
Is there anything out there that just... you point it at a directory of CKLs and CKLBs, and it aggregates the findings into a CSV? I know that something like that would be much more practical than a full blown web app with API.
[link] [comments]
Anyone have any documentation about an IATT? I started working for a project supporting a Zone A environment and am trying to present the benefits of IATT over ATO given where we are at.
[link] [comments]
I work for a work force management IT company, and I have been tasked with acquiring eMASS for my organization. I have read through the eMASS manual but it a little confused where to start. I have already acquired the CAGE code. We have both federal and VA clients. Please help
[link] [comments]
Anybody besides myself who thinks that ZTA might not be a realistically feasible deployment especially given that most of the Government's user base WFH?
[link] [comments]
I used to be able to find Apple MacOS Benchmarks on the DISA site, but this year I have been unable to find benchmarks. Currently I have in place benchmarks overing MacOS 11 and MacOS 12.. Can anyone point me to where I can find benchmarks for newer MacOS to use?
[link] [comments]
I have a couple Win10 systems logging several "EMET.adml" and "EMET.admx" files missing alerts (related to STIG settings, I suspect). Searching around the web, it looks like MS used to host an EMET toolkit download (v5.5), but doesn't any longer (dead links and 404s).
Is the EMET toolkit a thing any longer? If so, where would I get it? I've found a couple of downloads on rando sites, but I'm not sure I trust them.
Thanks!
[link] [comments]