On Wed, Oct 10, 2018 at 11:25 AM Naslund, Steve <snasl...@medline.com> wrote: > You are free to disagree all you want with the default deny-all > policy but it is a DoD 5200.28-STD requirement and NSA > Orange Book TCSEC requirement.
And yet I got my DoD system ATOed my way earlier this year by demonstrating to the security controls assessment team that the cost of default-deny-all exceeded the risk cost of default-allow with IDS alerts on unexpected traffic. Because not spending more on a security implementation than the amount by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while default-deny-all is merely a standard policy. Regards, Bill Herrin -- William Herrin ................ her...@dirtside.com b...@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
