On 8/28/17 11:49 AM, Wesley Ceraso Prudencio wrote:
Hi Chuck Atkins,
Based on what I've found, it seems NIST 800-171 extending the whole OSPP really seems
to be overkill, and was probably a workaround, or at least the fastest way to implement it
at the time. However, I think the best people to confirm that are Shawn or Gabriel, both
copied in this email.
So, lets see what they can tell about it.
By the way, it's nice to know to someone from kitware, I really appreciate the
software you build there, not only the CMake but Paraview helped me a lot!
At an information system level there's no argument the various RMF
processes and controls differ -- FISMA Low is much different than FISMA
High.
At the Linux component level it's all pretty much the same. Originally
created a massive spreadsheet to track the control selections between
things like FISMA low/med/high, CUI, STIGs.... they all overlapped. And
where the didn't the differences were minor and mostly related to
variable refinements (e.g. password lengths).
Rules selected in the CUI profile (or inherited from OSPP) should be all
marked with a CUI tag that identifies the mapping back to NIST 800-171.
We can absolutely adjust the rule selections between the profiles if
something is seen as overkill.... but need to understand what exactly is.