> Long answer: > NSA IAD delegates responsibility for DoD STIG work to DISA FSO.
Pardon the pedantry, but it's actually authority from DoD itself -- not delegated from IAD. (IAD has other significant authorities and responsibilities, but the requirement to use STIGs for configuration, and that FSO develop these, is from DoD.) > - NSA IAD is also using SSG to publish their SNAC guide. Jeff Blank & I > chatted on the phone this afternoon about just this.... he promised a > direct response to the list later today/tomorrow. In short, Jeff's been > very public that the RHEL6 SNAC Guide will be directly derived from SSG. And of course my response here is late, as usual. But yes indeed -- it has been the plan for quite a while (I've simply been very busy) to render the guide and post it to our web site as our recommended guidance (and to explicitly state that the STIG is the authoritative selection of settings for DoD). The purpose of our posting would be for those non-DoD NSS customers, and should be seen as an endorsement of common guidance through the scap-security-guide project. I have blocked off Friday afternoon (well, most of it) to do a read-through and get that into the publication review process. > - Red Hat plans to upgrade SSG from EPEL and ship directly within RHEL > 6.6+. If you are interested in this happening, PLEASE open an RFE with > Red Hat (I can help with this offline). Once shipped within RHEL, SSG > will be the official body of SCAP content supported by Red Hat. Progress > in this area can be tracked publicly: > https://bugzilla.redhat.com/show_bug.cgi?id=1038655 This is awesome, and absolutely realization of a long term (but oft unachieved) goal to get the best experts on how a product works -- the vendor -- to support secure configuration guidance and its assessment. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
