bloomberg on supermicro: sky is falling

Naslund, Steve SNaslund at
Wed Oct 10 17:06:09 UTC 2018

If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at  Please see this DoD Instruction (the waiver process is on page 23).  If it did not go through that process, then it is not approved not matter what anyone told you.  I know your opinion did not make it through that process.

Want to tell us what system this is?

Steven Naslund 
Chicago IL

>And yet I got my DoD system ATOed my way earlier this year by
>demonstrating to the security controls assessment team that the cost
>of default-deny-all exceeded the risk cost of default-allow with IDS
>alerts on unexpected traffic.
>Because not spending more on a security implementation than the amount
>by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while
>default-deny-all is merely a standard policy.
>Bill Herrin

More information about the NANOG mailing list