Hello Randal, my main focus this year is FDCC, FDCC Deployment, and Application Testing The reason I used the statement "workstations that process government information to be FDCC Compliant", is I had a third party vendor contact me and ask if there corp laptops when connectioned to a government network and processing information had to be FDCC compliant. The direction I got from NIST is "OMB wants to see FDCC applied to nearly any PC that processes government data." I know we can want in one hand and ..... anyway we all know that one.
Hopefully the 2008 Security Automation Conference and Workshop (4th Annual) in Sept will bring some light to the subject of FDCC and deviations. Take Care and Have Fun --John -------------- Original message ---------------------- From: "Randal T. Rioux" <[EMAIL PROTECTED]> > On Thu, August 21, 2008 9:19 am, [EMAIL PROTECTED] wrote: > > Thanks for the update Ron, the last I heard was OMB required all > > workstations that process government information to be FDCC Compliant. > > All government owned systems, regardless of use. > > > To be FDCC Compliant the workstation had to be configured with all of the > > settings, if a single setting is changed the workstation is not FDCC > > compleant. > > > > I haven't heard of a deviation policy form OMB being released, so to > > the best of my knowledge deviation from the FDCC settings are not > > allowed. > > OMB is the mandate, NIST (FDCC) is the policy. I've never seen an audit or > C&A package that didn't make gratuitous use of the "N/A" loophole. Like > airport security, such "regulations" are pure theatre and is the biggest > reason why I jumped that ship and became a filthy contractor. > Tangent example: Trusted Internet Connections (TIC) > > Good luck in your new field! Burnout comes fast :-) > Randy > > > -------- > top posting is evil > > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
