Chris, The below, sent to me by a colleague of mine, seems to address your question:
Per the guidance from NIST National Vulnerability Database (NVD) website (http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority) we are allowed to use Vendor produced SCAP content in the absence of "Governmental Authority" checklists. The link above will take you to the source, but I copied & pasted the verbiage below: Authority The organization responsible for producing the original security configuration guidance represented by the checklist. Authorities are ranked according to their "Authority Type." Within the NCP website authorities are grouped with their authority types through the syntax of Authority Type: Authority. If it is not clear which checklists(s) should be analyzed, users from Federal civilian agencies should first search for checklists produced by authorities of type "Governmental Authority." If "Governmental Authority" produced checklists exist the user should first search for NIST-produced checklists, which are tailored for civilian agency use. If no NIST-produced checklist is available, then agency-produced checklists from the Defense Information Systems Agency (DISA) or the National Security Agency (NSA) should be used. If no "Governmental Authority" checklists exist the user should search for checklists produced by authorities of type "Software Vendor." If none of these checklists exist the user should search for checklists produced by authorities of type "Third Party." Authority Type Type of organization that lends its authority to the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations). Regards, Robert -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bailey, Christopher D CTR USARMY AMRDEC (US) Sent: Tuesday, February 25, 2014 12:45 PM To: [email protected] Subject: SSG for RHEL 6 (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Does anyone know if there's been an official approval from DISA for the use of SSG content and the openSCAP utility on RHEL 6 systems for providing official vulnerability reports to IA inspectors? Our local IA folks tell us that SCC is the only DISA approved/provided product that we can use for scanning our systems and providing scan results to IA for inspection and analysis. However, SCC only provides content up to RHEL 5, which is of no help with RHEL 6. We have our own homemade script for scanning, but that's only good for in-house use. We need something for producing official SCAP formatted vulnerability reports. We believe our best option for automated scanning is the openSCAP tool with SSG content, which is what we want to use, but there doesn't seem to be any official acceptance for its use. Basically, my IA folks want to see something in writing from DISA that says they officially approve the use of SSG content and the openSCAP tool for proving IA compliance on RHEL 6 systems. I know that the DISA FSO is working closely with Red Hat on SSG, but I can't find anything like an official release from DISA. Thanks. Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
