CONTRACT AND BUYERS GUIDES: Field Security

DISA’s automated vulnerability management system can help keep your system off the front page.

When a “hacking” story gets on the front page, even dry topics like information assurance and IT security look sexy to mainstream media editors – as happened when allegations China penetrated congressional computers were widely aired in June.

 

Conversely, security experts often note that keeping such “stories” from occurring in the first place is often a matter of following good- if often rudimentary procedures and routines that by themselves can stop more than 90 percent of all hack attempts.

 

So, the Defense Information Systems Agency’s (DISA) Field Security Operations (FSO) division might be seen as a group ultimately dedicated to keeping things dull – if by such we mean keeping defense systems secure and un-newsworthy.

 

Field Security Operations
Field Security operates in the context of the DOD’s Global Information Grid, and produces enterprise-wide security education, training and awareness programs; technical guidance; and improved IA processes. FSO is part of GIG Operations Directorate Four, or GO4.

 

Among its efforts, FSO has published more than 30 Security Technical Implementation Guides (STIGs) spanning OS issues across Windows and UNIX environments, and drilling down to the implementation of specific apps such as secure video teleconferencing, or databases, or collaboration systems.

Gold or Platinum? 

“…The Gold Standard was developed with Information Technology (IT) security as well as operational impact in mind.  Operational impact includes required security settings, which will disable or cause loss of functionality of the information system or application.  Operational impact cannot override security; the operational impact must be weighed against the risk of not implementing a security control.  The Gold Standard
is the establishment of a minimum-security baseline applied to DoD systems.  The Gold Standard provides a high level of assurance that the functionality of the information system or application will not be adversely impacted as a result of implementing the Gold Standard settings.  Security controls designated as Platinum Standard provide a higher level of
security assurance but may impact operations….”

Link to FSO:
http://www.disa.mil/go/go4.html

Link to STIGs:
http://iase.disa.mil/stigs/index.html

Online training modules:
http://iase.disa.mil/eta/online-catalog.html#iaprofessionals

Source: DISA WINDOWS 2003/XP/2000/VISTA ADDENDUM
Version 6, Release 1 May 21, 2007 


The group also provides more than 50 security checklists that span Open VMF, .NET Framework, UNIX, web, Windows, wireless, Bluetooth and other apps and utility areas and environments.

 

It has supported its offerings with 30+ white papers ranging in subjects such as Windows XP security packs to pcAnywhere implementation guidance.

 

Gold Disk Version 2.0
Most recently, FSO has released an update of its prominently employed product, Gold Disk Version 2.0. Gold Disk is a system administrator (SA)/workstation level scanning tool that encompasses the STIGs, the checklists and the Center for Internet Security (CIS) benchmarks.

 

Gold Disk gives SA’s a tool by which they can “detect installed products, identify and remediate applicable vulnerabilities and generate a file that can be used for asset registration and findings-upload into DISA’s Vulnerability Management System (VMS).”

 

DISA officials call Gold Disk a “basic security analysis tool” that is specifically targeted at a variety of Windows environments and desktop applications, as well as Internet Information Services 5.0 and 6.0 and Internet Explorer.

 

Automated Vulnerability Detection
Generally, automated vulnerability detection and remediation such as Gold Disk is recommended as a baseline configuration process – not necessarily to replace exacting manual processes that might be otherwise required to resolve specific security issues.

 

The idea of configuration benchmarks at a repeatable, baseline level was boosted by the National Security Agency, DISA, the uniformed services and others in the aftermath of the 9/11 attacks. A series of “gold standard” task force efforts resulted in the formation of CIS, which itself provides more than 40 OS and apps-level configuration benchmarks. These basic benchmarks can be carved into agency-specific tools by groups like FSO/GO4.

 

As crafted today, Gold Disk is used to generate reports to DISA’s vulnerability compliance tracking system that interoperates with Windows IA vulnerability notices.

 

DISA FSO was launched as part of a broad effort to institutionalize Vulnerability Management across DOD as a formal discipline including the creation of an IA portal available to all defense components (IASE.DISA.mil).

 

CIS has reported that the “gold standard” process has benefited greatly by increasingly engaging both users and prominent OS and apps manufacturers, in addition to security officers, as IT system benchmarks are defined and scoring tools are created.

 

As well as providing a security safety net, Gold Disk is promoted by FSO as a productivity enhancement device for SAs. According to a 2004 report, Gold Disk can reduce the processing time for standing up a secured Windows workstation or server from one or two days to just a few hours.

 

Agencies can run Gold Disk from a CD or download it via SIPRNET or NIPRNET. More info about Gold Disk and all of FSO/GO4’s products is available at (717) 267-9900, DSN 570. 

Smart Buying 
As a DOD IT buyer, you have a wide variety of avenues to get IT. Here are a few good places to start.

DISA DITCO (Defense Information Technology Contracting Organization)
http://www.ditco.disa.mil
You will find a multitude of information for government buyers, employees and contractors.

DISA Direct
http://www.disadirect.disa.mil/products/asp/welcome.asp
Here you’ll find DISA's ordering suite of tools for requesting telecommunication products and services.

CHESS (Computing Hardware and Enterprise Software: 2006 – 2016)
ascp.monmouth.army.mil/scp/index.jsp
CHESS provides hardware and software solutions that are compliant with DOD, Army and Network Enterprise Technology Command (NETCOM) standards.

Army ITES-2
https://ascp.monmouth.army.mil/scp/index.jsp
ITES-2 contracts support Army combat systems, including command, control, communications and computers, and business systems.

Air Force NETCENTS
https://ossg.gunter.af.mil/aq/netcents/homepage.aspx
NETCENTS is a $9 billion IDIQ contract for engineering, software development, integration, security and telephone services, as well as voice, video and data hardware and software supporting DOD’s Global Information Grid architecture.

DISA ENCORE II (2008 – 2013)
http://www.ditco.disa.mil/hq/contracts/encorchar.asp
Provides network engineering services, analytical support for buying and installing IT systems, and a way to buy various products, including hardware.


For the complete listing and additional information, go to http://gcn.com/microsites/reports/dod-security-buyers-guide/eight-avenues.aspx