RE: Addendum to Policy Letter 13: Audit Generation Functionality
- Subject: RE: Addendum to Policy Letter 13: Audit Generation Functionality
- From: "Michelle Ruppel" <firstname.lastname@example.org>
- Date: Fri, 9 Mar 2007 13:24:19 -0600
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset="us-ascii"
- In-Reply-To: <email@example.com>
- Thread-Index: AcdicuwV8y42C04vSZOHMNqatztAhwAAQiMg
I appreciate the argument that the products should meet the DoD
Producing products that serve CCEVS customers who pay the bills definitely
needs to be a major consideration.
However, if available security products do not include these features and
the DoD still wants or needs the product, wouldn't it be better to have the
product evaluted by CCEVS than to not have that product evaluated because it
does not audit everything?
I'm not sure CCEVS policies are the correct place to mandate security
features for products that are produced in the general marketplace.
The use of PPs and RFCs appear to be a better mechanism for mandating
security featuers in products to be used by the DoD.
From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of Daniel P. Faigin
Sent: Friday, March 09, 2007 11:38 AM
To: Multiple recipients of list
Subject: RE: Addendum to Policy Letter 13: Audit Generation Functionality
On Fri, 9 Mar 2007 12:11:13 -0500 (EST), "Williamson, Robert L. Jr."
> It appears to me that the purpose of audit seems missing in this
> discussion. Furthermore, I believe all Government requirements require
> some interpretation.
In the case of the 8500.2 requirements, you should look at the DIACAP
Knowledge Base. That defines the validation procedures to establish whether
system (and I use that word intentionally, as opposed to "product") is
compliant with a control.
Of course, you'll easily discover problems with those procedures. I have,
and working on some white papers to highlight those problems and work them
resolution (this is all non-CC stuff).
(I'm getting on my soapbox here, and this is more with a C&A hat on than any
CCEVS related hat)
If the goal is to have CCEVS validate products that serve the customers who
are paying their bills, control compliance should be considered. The
should serve to support the ability of the overall system to meet the
controls. For example, if passwords are used, the system should provide the
ability to enforce that DoD-password rules are enforced (see control
IAIA). Otherwise, usage of the product in the DoD creates difficulties and
requires waivers. Similarly, if the product provides auditing, it should
at a level suitable to provide the information required in the ECAR
(climbs down off soapbox)
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org