ASTi has created a secure version of our product suite to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This information is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states:
"All COTS IA or IA-enabled IT hardware, firmware, and software components or products incorporated into DOD information systems must comply with the evaluation and validation requirements National Security Telecommunications and Information System Security Policy (NSTISSP) 11, reference (w)."
"Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase (i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period-of-time specified in the solicitation and the contract)."
"Purchase contracts shall specify that product validation will be maintained for updated versions of modifications by subsequent evaluation or through participation in the National Information Assurance Partnership (NIAP), Assurance Maintenance Program."
For more detailed information see the Information Assurance Support Environment (IASE) website.
The IA Package is a one-time deliverable based on a specific software version and RHEL STIG pairing. For a complete list of available options see: http://support.asti-usa.com/ia_security.html
Each security package contains security hardening scripts, multiple STIG benchmark reports, and an ASTi SCC Non-Compliance Supplement Report, which includes a breakdown of STIG Benchmark Non-Compliance PDIs into a detailed open, false positive, and waiver listing for analysis and use by the DAA. This package can only be installed on Telestra Target with the ACE-SEC software option, or Studio (incl. VM). If the software version selected is not already deployed and/or licensed for the system(s) in question a paid software update will be required. (i.e. Trainer is running 6.2.0 and requires 6.4.0). Customer is responsible for providing RHN updates as well as any STIG delta to latest STIG if an older IA package is selected (i.e. 6.2.0 from January 1st, 2017 for example).
Note: The IA Package is an optional software package for ASTi platforms.
The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs that are application, network and/or deployment specific. Additionally any STIG delta is also a customer responsibility if an older version / pairing is selected.
For example, if a system is currently licensed for and running Telestra 6.2.0 and that IA package is selected then the customer shall be responsible for delta from the RHEL6 V1R13 STIG to the current STIG version available today. This is assuming a newer STIG version is available and that STIG is not End Of Life (EOL).