Consumer to Collaborator Re-Imagining the Government’s role in Open Source

EXPLAIN YOUR FISMA PROCESS

OR, EMBED INTO KICKSTART: $ oscap xccdf eval \ —remediate \ —profile stig-rhel6-server-upstream \ —report /root/scan-report.html \ /usr/share/xml/scap/content.xml

Miracle at Willow Run

FIRST USE OF CONTAINERS?

Mode 1 Mode 2

Mode 1 TRADITIONAL Mode 2

Mode 1 TRADITIONAL Mode 2 EXPLORATORY

YOU ARE NOT AN IT CRAFTSMAN YOU ARE A BI-MODAL IT MANUFACTURER

CATEGORIZE (FIPS 199 / SP 800-60)

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53)

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)

… s e o g s p O … v e D d n a

Everyone knows that SCAP is a suite of XML standards for creating automated checklists for configuration and vulnerability scans!

Risk? Risk? Deployment Growth Risk? Units of ___________

Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP

$ govready scan

HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP NIST SCAP Website: https://scap.nist.gov OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide GovReady user-friendly front-end: https://github.com/GovReady/govready Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap

CONTACT INFO Shawn Wells shawn@redhat.com 443-534-0130 Greg Elin gregelin@gitmachines.com 917-304-3488 Fen Labalme fen@civicactions.com 412-996-4113