This is not a get out of jail free card. Just because you heard it hear does not mean you are instamagically approved to do anything. I’m willing to bet that you have an approved Configuration Management process; execute that to inflict change in your environment. This is not direction to do anything, spend money, let a contract, nothing. This is intended to be a conversation starter with your SCA or DAO. This is intended to give you something to think about. To elevate your conversation. This is non-binding. There are probably times/cases where I would tell the sites/systems that I support to do things differently than what we will discuss here. That’s why this is called, “It Depends”.

Your SCA, your DAO/AO/SAO have very distinct reasons why they give you the guidance and direction that they do. There may be outside factors, information, threats that you are not aware of that they are trying to address. There could be a direction that they are steering your effort, company, site, program that they are not sharing with you. There could even be a new policy that has been issued or an existing policy that has received a new level of emphasis.

You should benefit from every requirement in this book.— DAO.

I will also take a moment to point something out. Just because I may give you AN alternative or A way to do something does not mean it’s the way YOU should do something. See. These are the examples that I’ve seen; that I’ve done; but that doesn’t mean it will work for you, in your environment. Something to keep in mind. While the JSIG is filled with very specific and technical guidance, there are also 1/2″ margins. Meaning you and your SCA/DAO have a little room to play and navigate before you fall off the edge and get hurt.

Even these margins may not work for you. There are some environments, that I would not give any slack. I would hold them strictly to the control. That is due to their process or their system not being mature enough to operate in grey areas. There is absolutely nothing wrong with that. We’ll get there.

This all being said. The opinions here do not represent those of management, the SAO or any other SCA/DAO/AO in your authorization process. Always defer to them. This blog and 5$ will get you a cup of coffee at Starbucks.

The intent behind this is to try a new method of disseminating the Cyber Security conversations beyond what we have been able to do during site visits and other one-on-one opportunities.

---

Follow My Blog

Get new content delivered directly to your inbox.