ad-assurance - RE: [AD-Assurance] Applying FISMA to 800-63
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [AD-Assurance] Applying FISMA to 800-63
- Date: Mon, 29 Apr 2013 15:48:56 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none
Hmm… Maybe a call with Kantara would make sense? I note that their guidance is the same as we’ve seen elsewhere: 660 AL2_CO_SCO#010 Secure remote communications 661 If the specific service components are located remotely from and communicate over
662 a public or unsecured network with other service components or other CSPs which
663 it services,
the communications must be cryptographically authenticated, including 664 long-term and session tokens, by an authentication method that meets, at a
665 minimum, the requirements of AL2 and encrypted using a [FIPS140-2] Level 1- 666 compliant encryption method or equivalent, as established by a recognized national
667 technical authority.
My emphasis. Anyone know any recognized national technical authorities? :) I do note that this is a little looser than what we’ve been discussing, as it only applies to intra-IdP-service communication over public and unsecured networks.
--- Eric From: [mailto:]
On Behalf Of Rank, Mark +1 -------------------------------------------------- Mark Rank UCSF Information Technology Services (ITS) phn:414-331-1476 -------------------------------------------------- From:
[] on behalf of Ann West [] Just want to make sure we're not over thinking this…We are bound by InCommon's specs, not the US Government's. Looking to other docs for ideas on how to address the gaps is certainly appropriate, but we have to
be careful not to conflate those with ours. Kantara's specs, another FICAM-approved trust framework, might be just as useful, for instance. Ann From:
<Capehart>, Jeffrey D <> Yes, 800-63 refers to 53 for the controls/assurance, which then refers back to 63 for the technical guidance. Seems like a circular reference. However, my main point was that the 800-63 needed controls for LOA[1,2,3,4] *SHOULD* be tested/evaluated under an 800-53 (FISMA) audit. And, I was able
to pin-point the specific ones. In 53, the controls are somewhat generalized, so that’s why the specific guidance refers back to 63.
At the end of the day, the Federal agencies all turn on the FIPS mode and I suspect any technology using Windows probably also requires the FIPS mode be turned
on. Bitlocker is always at least AES-128 CBC. In FIPS mode, it goes to AES-256. In non-FIPS mode, it uses an “Elephant diffuser” but the underlying data is still AES-CBC-128. I also found a third-party product which tunnels authentication over a TLS encrypted channel using an agent on clients and the AD domain controller. The vendor
says that just a few of their more than 60 federal customers are NIH, NASA, NIST, NOAA, DOD, US ARMY, Dept. of Commerce, Dept. of Energy… Jeff From:
[]
On Behalf Of David Walker Oh. I read that differently. I think it's a statement of requirements beyond those mentioned explicitly in 800-63, not that 800-53 (a security standard) could be used
in lieu of 800-63. The statement is a little redundant, anyway, as federal agencies are already bound by 800-53. David,
|
- [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/24/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Brian Arkills, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/26/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/29/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Brian Arkills, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
Archive powered by MHonArc 2.6.16.