afeld
commented
5 years ago Should probably also mention the CIS Benchmarks. Is there a generic term for these?
Open afeld opened 5 years ago
afeld
commented
5 years ago Should probably also mention the CIS Benchmarks. Is there a generic term for these?
brasky
commented
5 years ago The generic term for these would probably be configuration baselines or just baselines. The guidance provided by USGCB/STIGs/CIS Benchmarks is what you use to determine your baseline configuration settings.
Different baselines might be prescribed based on the scenario. For FedRAMP in CM-6(a) it prescribes using USGCB if available, then CIS benchmarks. STIGs come into play when you add the DISA SRG
The SRG has a well written overview on page 5 section 1.4.
The thing I do not know and would be curious to learn where the requirement is for agencies and subcontractors. I'm guessing it's in 800-171 3.4.1 where it says to follow NIST 800-128 which says:
Identification of common secure configurations (e.g., FDCC/USGCB, DISA STIGs, National Checklist Program, etc.) to be used as a basis for establishing approved baseline configurations for the information system;
But I'd love some correction if I'm totally off base.
afeld
commented
5 years ago Thanks for all of that!
configuration baselines or just baselines
Yeah, the former is better, as there are also control baselines, which are a different thing.
...and how they relate to controls.
https://public.cyber.mil/stigs/