Information Assurance Package

ASTi has created a secure version of our product suite to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This information is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states:

  • "All COTS IA or IA-enabled IT hardware, firmware, and software components or products incorporated into DOD information systems must comply with the evaluation and validation requirements National Security Telecommunications and Information System Security Policy (NSTISSP) 11, reference (w)."
  • "Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase (i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period-of-time specified in the solicitation and the contract)."
  • "Purchase contracts shall specify that product validation will be maintained for updated versions of modifications by subsequent evaluation or through participation in the National Information Assurance Partnership (NIAP), Assurance Maintenance Program."

For more detailed information see the Information Assurance Support Environment (IASE) website.

The Information Assurance Package provides a secure version of software for the server. In the secure software version, the majority of the security risks identified by DISA are eliminated by ASTi, but some customer action is required to resolve vulnerabilities that may exist at the installation site.

Applicable Product Lines:

  • Telestra Studio & Studio VM
  • Telestra Target
  • Voisus
  • SERA

Features

Note: The IA Package is an optional software package for ASTi platforms.

  • Security Hardening Scripts
    • Includes an additional software package for the platform with ASTi's customized security hardening scripts.
    • Minimizes or eliminates all high, medium and low severity items
  • Multiple STIG benchmark reports to assist Designated Accrediting Authority (DAA)
    • STIG Benchmark All Settings HTML Report
    • STIG Benchmark Non-Compliance HTML Report
    • STIG Benchmark XML Results
    • ASTi SCAP Non-Compliance Supplement Report
      • Includes a breakdown of STIG Benchmark Non-Compliance PDIs into a detailed open, false positive and waiver listing for analysis and use by the DAA

DISA & STIGS

The Defense Information Systems Agency (DISA) develops and provides security configuration guidance for IA and IA-enabled IT products. The guidelines are outlined in DISA's Security Technical Implementation Guides (STIGS), which identify existing and potential vulnerabilities on a system. STIGS exist for a variety of operating systems and applications.

Additionally there is a RedHat specific SCAP benchmark and SCAP Toolset for compliance checking. Every security software version release for the platform is tested against the latest versions of the Red Hat STIG as well as the latest SCAP toolset. Links to DISA and the STIGs can be found at http://iase.disa.mil/stigs/Pages/index.aspx.

Within each STIG there are 3 severity levels that range from low to medium to high severity.

ASTi's goal for our platforms is to eliminate all High and Medium items and to minimize Low severity items. ASTi has also incorporated STIG/SCAP checking into the production release test process so that the software is constantly updated with the most valid security enhancements1.

Customer Responsibilities

The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs.

For example, certain elements of the STIGs require that the customer:

  • Set non-guessable passwords
  • Review audit logs
  • Maintain specific physical security requirements

As the STIG Benchmark and SCAP tools are updated, the PDI list will change. The specific PDI list is provided for each software release and is tested against the latest STIG/SCAP versions as shown in the accompanying reports.

Process Details

Hopefully, after reading the above, it is now clear what the IA package provides in terms of software, features and documentation. Certain security features such as secure remote access, SELinux and user accounts are available by default.

The IA package software for the ASTi platform is a one-time delivery and after purchasing the software you receive the following:

  • ASTi Software Installation DVD(s)
  • ASTi IA Package Software Installation DVD
  • Multiple STIG benchmark reports to assist Designated Accrediting Authority (DAA)

The IA software version for the platforms is based on a STIG version. For example, if you order an IA package update in Quarter 4 of 2012 you will receive the security software version, which was run against the STIG Benchmark stream "U_RedHat_5-V1R1_STIG_Benchmark" with a release of August 2nd, 2012.

Within a period of 1 year, one update, if required, can be requested by the customer at no additional cost. If a software update is purchased separately from the ASTi platform, a new production version will be generated within 60 days and delivered once with no subsequent updates. Future IA package software packages/upgrades that are required to match the latest STIG requirements would require the purchase of a new IA package. Future upgrades will be available as required based on customer demand. Additionally, ASTi will provide updates when a STIG update is available. Based on recent history, this means that if required we would release approximately four versions per year. However, this is subject to change based on customer demand and the DISA STIG release schedule.

ASTi highly recommends that customers have an active support contract. Given that no two customers are alike, neither are their IA requirements. The various components of this process are documented; however, there are always customers with specific questions in this area requiring some level of support. Support needs will vary from the area of installation or simply understanding why certain PDIs show the responses that they do in the ASTi SCAP Non-Compliance Supplement Report.

1

As the DISA STIG High and Medium severity items change in future STIG and SCAP releases it is impossible to predict future issues. While ASTi will make every reasonable attempt to remove all high and medium severity issues we cannot guarantee removal of all these issues as they change over time. If removal of an issue is not feasible we will work with the customer to obtain a waiver as required. This will be documented in the accompanying ASTi SCAP Non-Compliance Supplement Report.