View Single Post
      10-04-2018, 08:24 PM   #7
c1pher
Primo Generalissimo
c1pher's Avatar
United_States
4546
Rep
3,996
Posts

Drives: All of them
Join Date: Jun 2009
Location: DC area

iTrader: (0)

Garage List
Quote:
Originally Posted by zx10guy View Post
It's something and better than nothing. Systems...especially in highly secure environments would still have to go through scanning and meeting various requirements specific to the agency such as STIG, JTIC, Common Criteria, etc. TAA is just a baseline/starting point.
STIGs are great in a largely homogeneous environment like the USG but don’t work as well in regular industry. JTIC certifications mainly focus on operational testing. Yes you get an ATO after completing DIACAP or RMF, but those are checklists and we all know checklists don’t mean security. Case in point is AWS GovCloud has an ATO, is FEDRAMP accredited etc, and the Chinese purportedly could still do their thing.

I do agree with you that doing something is better than doing nothing, but we aren’t doing enough to understand what, exactly, network or IT equipment is doing and the explosion of IoT has only exponentially exacerbated the problem.
Appreciate 0