I am slowly making my way through the 800-39. I like it so far. I worry that because it hasn't specified a deliverable yet that it will get no notice or play. I hope that it does soon. I also await the arrival of the updated 800-30 since there are clear overlaps. What would probably be helpful for anyone reading is posting my comments and markups. I am not sure how NIST will respond to it.
I also saw a that there is a new 800-60. I can't even begin to contemplate when I will get to it. The last one was weak and I don't think anyone I knew even read it. I know this because when I asked them what information type their system was processing, I instantly received a blank stare. When I was engineering Federal systems, they didn't have an 800-60 or FIPS 199. So, we merrily wrote our SSP, conducted Risk Assessment and ran the ST&E's. I get the feeling here that because they bothered to update the documents, that they will probably get a little more play.
It is my opinion, that if more system owners sat down and determined their information types, then boundary identification would be easier. I won't go into it, but please stay tuned for a post on system boundaries.
Lastly, I wrote a couple VBScripts that help me with my Nessus scanning. Since Nessus is still free (7 day lag on plugins) and generally useful I provide my little scripts for you to review and abuse. The script will run against one or multiple result XMLs, and provide output in the form of MS-Excel. They are located at http://www.redeyetek.com/Tools/. One for the results from a Linux scanner and one for Windows client.
Things to look forward to: Another VBScript that make XMLs from the DISA SRRs into MS-Excel. And a post on System Boundaries.
1 comment:
So are you going to post your mark-ups and comments?
Post a Comment