Yesterday, NIST released two documents. One is the update to 800-60 (Vol 1 and Vol 2), which assists system owners with identifying the information types and things to consider when categorizing a system.
The other is draft Interagency Report 7511, which describes the process that a tool must go through in order to be SCAP-validated. The italics of course meaning that you should beware that there are/could be tools that say they are compliant not validated. Validated of course meaning that an independent, accredited lab has run through the certification requirements.
Cursory review shows me that the IR 7511 will help all of us understand the criteria to be SCAP validated. I say cursory because I have no intention of going through this document in the near future. It is clearly written for vendors who want to get their product tested and they can use this as the beginning of their requirements management process. Also, their QA teams will certainly implement it before they spend money on testing.
Also coming up is the annual SCAP conference, I went to last year's and it was generally good. I will be going again this year. So, if you aren't going and you want to know what happened leave a comment. If you are going, and you feel like ranting at / with me contact direct: cyberhiker -at- gmail -dot- com.
No comments:
Post a Comment