SEC 14 - Security Technical Implementation Guide (STIG) for Liberty

atosak commented 5 years ago

STIG for Liberty is required for customers who work with Federal Government. It is a check list of about 130 questions to be answered. What is required: 1) provide answers to a check list of about 130 questions. This will allow customers to start their evaluation 2) make STIG checklist publicly available on the STIG website maintained by US government. There is a formal process to be followed.

atosak commented 4 years ago

List of Steps to complete or get approvals / sign-offs for Onboarding to the Liberty release (GM date)

Instructions:

Do the actions below and mark them complete in the checklist when they are done.
Make sure all feature readiness approvers put the appropriate tag on the epic to indicate their approval.

TARGET COMPLETION DATE Before Development Starts or 8 weeks before Onboarding

[ ] POC Design / WAD Review Scheduled (David Chang) or N/A.
[ ] POC Design / WAD Reviewed (Feature Owner) or N/A.
[ ] Complete any follow-ons from the POC Review.
[ ] Design / WAD Approval (Alasdair Nottingham) or N/A.
[ ] No Design / No WAD Approval (Arthur De Magalhaes - cloud / Alasdair Nottingham - server) or N/A.
[ ] SVT Requirements identified. (Epic owner / Feature owner with SVT focal point)
[ ] ID Requirements identified. (Epic owner / Feature owner with ID focal point)
[ ] Create a child task of the epic entitled "FAT Approval Test Summary". Add and fill in the template as described here: https://github.ibm.com/was-liberty/WS-CD-Open/wiki/Feature-Review-(Feature-Test-Summary-Process)
TARGET COMPLETION DATE 3 weeks before Onboarding
[ ] Identify all open source libraries that are changing or are new. Work with Legal Release Services (Cass Tucker or Release PM) to get open source cleared and approved. Or N/A. (Epic Owner). New or changed open source impacts license and Certificate of Originality.
TARGET COMPLETION DATE 3 weeks before Onboarding
[ ] All new or changed PII messages are checked into the integration branch, before the last translation shipment out. (Epic Owner)
TARGET COMPLETION DATE 2 weeks before Onboarding
[ ] Implementation complete. (Epic owner / Feature owner)
[ ] All function tests complete. Ready for FAT Approval. (Epic owner / Feature owner)
[ ] Review all known issues for Stop Ship. (Epic owner / Feature owner / PM)
APPROVALS with TARGET COMPLETION DATE 2 to 1 week before Onboarding

Prereq: You must have the Design Approved or No Design Approved label on the GitHub Epic.
[ ] Accessibility - (G Scott Johnston). Accessibility testing is complete or N/A. Approver adds label focalApproved:accessibility to the Epic in Github.
[ ] FAT Liberty SOE - (Kevin Smith). SOE FATS are running successfully or N/A . Approver adds label focalApproved:fat to the Epic in Github.
[ ] Globalization (Sam Wong - Liberty / Simy Cheeran - tWAS). Translation is complete or N/A. TVT - complete or N/A. Approver adds label focalApproved:globalization to the Epic in Github.
[ ] ID - (Kareen Deen). Documentation work is complete or N/A . Approver adds label focalApproved:id to the Epic in Github.
[ ] Performance - (Jared Anderson). Performance testing is complete with no high severity defects or N/A . Approver adds label focalApproved:performance to the Epic in Github.
[ ] Serviceability - (Don Bourne). Serviceability has been addressed.
[ ] STE - (Swati Kasundra). STE chart deck is complete or N/A . Approver adds label focalApproved:ste to the Epic in Github.
[ ] SVT - (Greg Ecock - Cloud, Brian Hanczaryk- APS). SVT is complete or N/A . Approver adds label focalApproved:svt to the Epic in Github.
[ ] Demo - (Liberty only - Tom Evans or Chuck Bridgham). Demo is scheduled for an upcoming EOI. Approver adds label focalApproved:demo to the Epic in Github.
TARGET COMPLETION DATE 1 week before Onboarding
[ ] No Stop Ship issues for the feature. (Epic owner / Feature owner / Release PM)
[ ] Ship Readiness Review and Release Notes completed (Epic owner / Feature owner / Release PM)
[ ] Github Epic and Epic's issues are closed / complete. All PRs are committed to the master branch. (Epic owner / Feature owner / Backlog Subtribe PM)
NOT REQUIRED FOR A FEATURE
[ ] OL Guides - (Yee-Kang Chang). Assessment for OL Guides is complete or N/A.
[ ] WDT - (Leonard Theivendra). WDT work complete or N/A.
Related Deliverables TARGET COMPLETION DATE General Availability
[ ] Blog article writeup (Epic owner / Feature owner / Laura Cowen)

jkleinlercher commented 4 years ago

Any timeline when this STIG is available? Our company security/compliance rules also need this.

emilytee commented 4 years ago

STIG work is currently underway, final completion pending DISA review and approval.

jkleinlercher commented 4 years ago

Great! Any idea if review is completed end of this month or end of this year? Just to be sure: does that mean there is a stig xml available which can be used by tenable nessus?

emilytee commented 4 years ago

We've just recently started, so end of month is not likely, but trying to pull that in as much as possible, given DISA review availability. There will be a STIG xml available for all, Liberty standalone users and embedders. Of course, anything beyond Liberty may need its own STIG.

emilytee commented 4 years ago

Johannes, our goal is to have an approved Liberty STIG by EOY. It takes several months of iterative reviews with the DISA team and we have a dependency on their availability/schedule to get back to us with their feedback. Once we finalize the last iterative review, we need to wait for their final approval and then for them to get final approval back from the various DoD agencies who are also needing this Liberty STIG. This GitHub issue will be updated as we make progress, along with the link to the approved Liberty STIG.

roedi007 commented 4 years ago

@emilytee would it be possible to get a beta version of the XML file to try it with our Nessus. We would not need an official release for the moment. Just a version we could run some checks with. And we would be happy to provide feedback from our tests if anything comes up.

jkleinlercher commented 3 years ago

Any news?

emilytee commented 3 years ago

The Liberty STIG draft has been submitted for review; official compliance testing will begin in the next month.

emilytee commented 3 years ago

Official compliance testing with DISA is complete, and formal submission to the DoD is underway.

emilytee commented 3 years ago

STIG for Liberty has been approved:

From: "Mccormick, David J CTR DISA RME (USA)" david.j.mccormick2.ctr@mail.mil To: "Emily Tuczkowski" emilyt@us.ibm.com Date: 09/13/2021 08:12 AM Subject: [EXTERNAL] Websphere Liberty STIG

Good morning Emily and congratulations!!!

I wanted to let you know the Websphere Liberty STIG was finally approved and it is now going through OPSEC review before it is posted to cyber.mi

dave-waddling commented 3 years ago

There's effectively nothing to review from a FAT Focal perspective as this epic requires no design, has node deliveries, and requires no testing. However the process requires a FAT Focal approval so I'll add that now.

cbridgha commented 2 years ago

Also agree - this is just a documented process we needed for approval - no demo is required - adding label signoff.

OpenLiberty / open-liberty

SEC 14 - Security Technical Implementation Guide (STIG) for Liberty #9003

List of Steps to complete or get approvals / sign-offs for Onboarding to the Liberty release (GM date)

TARGET COMPLETION DATE Before Development Starts or 8 weeks before Onboarding

TARGET COMPLETION DATE 3 weeks before Onboarding

TARGET COMPLETION DATE 3 weeks before Onboarding

TARGET COMPLETION DATE 2 weeks before Onboarding

APPROVALS with TARGET COMPLETION DATE 2 to 1 week before Onboarding

TARGET COMPLETION DATE 1 week before Onboarding

NOT REQUIRED FOR A FEATURE

Related Deliverables TARGET COMPLETION DATE General Availability