bloomberg on supermicro: sky is falling
Naslund, Steve
SNaslund at medline.com
Wed Oct 10 17:06:09 UTC 2018
If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf (the waiver process is on page 23). If it did not go through that process, then it is not approved not matter what anyone told you. I know your opinion did not make it through that process.
Want to tell us what system this is?
Steven Naslund
Chicago IL
>And yet I got my DoD system ATOed my way earlier this year by
>demonstrating to the security controls assessment team that the cost
>of default-deny-all exceeded the risk cost of default-allow with IDS
>alerts on unexpected traffic.
>
>Because not spending more on a security implementation than the amount
>by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while
>default-deny-all is merely a standard policy.
>
>Regards,
>Bill Herrin
More information about the NANOG
mailing list