ASTi has created a secure version of our product suite to help customers meet the Information Assurance (IA) requirements for systems attached to a secure network. This information is intended to be a reference guide for customers who are required to comply with the Department of Defense Directive (DODD) 8500.1 which states:
For more detailed information see the Information Assurance Support Environment (IASE) website.
The Information Assurance Package provides a secure version of software for the server. In the secure software version, the majority of the security risks identified by DISA are eliminated by ASTi, but some customer action is required to resolve vulnerabilities that may exist at the installation site.
Note: The IA Package is an optional software package for ASTi platforms.
The Defense Information Systems Agency (DISA) develops and provides security configuration guidance for IA and IA-enabled IT products. The guidelines are outlined in DISA's Security Technical Implementation Guides (STIGS), which identify existing and potential vulnerabilities on a system. STIGS exist for a variety of operating systems and applications.
Additionally there is a RedHat specific SCAP benchmark and SCAP Toolset for compliance checking. Every security software version release for the platform is tested against the latest versions of the Red Hat STIG as well as the latest SCAP toolset. Links to DISA and the STIGs can be found at http://iase.disa.mil/stigs/Pages/index.aspx.
Within each STIG there are 3 severity levels that range from low to medium to high severity.
ASTi's goal for our platforms is to eliminate all High and Medium items and to minimize Low severity items. ASTi has also incorporated STIG/SCAP checking into the production release test process so that the software is constantly updated with the most valid security enhancements1.
The vulnerabilities are given unique labels called Potential Discrepancy Items (PDIs). Each PDI is categorized with a short description of the vulnerability it represents. Out of the hundreds of PDIs, ASTi can eliminate the majority of them; however, the customer is responsible for eliminating several PDIs.
For example, certain elements of the STIGs require that the customer:
As the STIG Benchmark and SCAP tools are updated, the PDI list will change. The specific PDI list is provided for each software release and is tested against the latest STIG/SCAP versions as shown in the accompanying reports.
Hopefully, after reading the above, it is now clear what the IA package provides in terms of software, features and documentation. Certain security features such as secure remote access, SELinux and user accounts are available by default.
The IA package software for the ASTi platform is a one-time delivery and after purchasing the software you receive the following:
The IA software version for the platforms is based on a STIG version. For example, if you order an IA package update in Quarter 4 of 2012 you will receive the security software version, which was run against the STIG Benchmark stream "U_RedHat_5-V1R1_STIG_Benchmark" with a release of August 2nd, 2012.
Within a period of 1 year, one update, if required, can be requested by the customer at no additional cost. If a software update is purchased separately from the ASTi platform, a new production version will be generated within 60 days and delivered once with no subsequent updates. Future IA package software packages/upgrades that are required to match the latest STIG requirements would require the purchase of a new IA package. Future upgrades will be available as required based on customer demand. Additionally, ASTi will provide updates when a STIG update is available. Based on recent history, this means that if required we would release approximately four versions per year. However, this is subject to change based on customer demand and the DISA STIG release schedule.
ASTi highly recommends that customers have an active support contract. Given that no two customers are alike, neither are their IA requirements. The various components of this process are documented; however, there are always customers with specific questions in this area requiring some level of support. Support needs will vary from the area of installation or simply understanding why certain PDIs show the responses that they do in the ASTi SCAP Non-Compliance Supplement Report.
As the DISA STIG High and Medium severity items change in future STIG and SCAP releases it is impossible to predict future issues. While ASTi will make every reasonable attempt to remove all high and medium severity issues we cannot guarantee removal of all these issues as they change over time. If removal of an issue is not feasible we will work with the customer to obtain a waiver as required. This will be documented in the accompanying ASTi SCAP Non-Compliance Supplement Report.