spk-logo-tm-2023
0%
1-888-310-4540 (main) / 1-888-707-6150 (support) info@spkaa.com
Select Page

DIACAP and Gold Disk: What about Windows 7?

windchill features best plm software
Written by SPK Blog Post
Published on January 25, 2012

This post is in response to David’s excellent post about Gold Disk.

I recently performed some DIACAP Compliance testing using Gold Disk on one of our products, which was built on Windows XP Embedded.  That process is fairly straightforward, even though Gold Disk is somewhat clunky (no search function) but it did work.  When our latest product was built on Windows 7, I quickly discovered that Gold Disk does not support Windows 7.  What’s worse, it is not being updated to work on anything past Vista and it is being retired in favor of something called SCAP-based benchmarking tools.  Without one of these tools, the only way to test a Windows 7 system is to check it manually using a STIG.

STIG stands for Security Technical Implementation Guide.  It is a human-readable checklist that is used to verify and document compliance with DISA standards.  The current STIGs and the SCAP benchmarks can be downloaded here: https://iase.disa.mil/stigs/Pages/index.aspx.  At the time of this posting, there is a scrollable box that will contain both the human-readable STIG manual checklist (Windows 7 STIG – Version 1, Release 6 – Updated October 31, 2011) as well as SCAP Benchmark files.

SCAP stands for Security Content Automation Protocol, and is sort of like a successor to Gold Disk, except that DISA is not developing its own tool for use in performing compliance scanning.  Instead, DISA releases SCAP benchmarks, which are like parameter files which can be loaded by a list of validated scanners in order to perform the role Gold Disk did.  DISA lists many vendors, but they recommend McCafee HBSS.  My organization tried QualysGuard Policy Compliance and E-Eye Digital Security’s Retina, which are both on the validated scanners list, which can be found here: http://nvd.nist.gov/scapproducts.cfm .

The steps to perform a SCAP scan would be similar for any SCAP scanner.  In broad strokes, there should be some way for the scanner to import the benchmark files, which are a set of XML files downloaded from DISA’s website.  Once the benchmarks are imported, set up a scan and point it at the device you want to test.  All of the SCAP scanners I tested were network-based, which is different from how we used Gold Disk, where it was run locally on the machine we were testing.  This makes scaling much easier, but it creates additional challenges, because the scanner will have to authenticate with the device in order to scan properly.  All the products I tested had good documentation and support that allowed me to set that up.

One final note: SCAP scanners will not work on the Windows Embedded family of devices.  DISA does not publish benchmarks that are compatible with them.  Each benchmark looks for a very specific OS fingerprint, and it will not run if it is not a perfect match.  To make matters worse, most of the scanners rely on services and features that may not exist in a given embedded OS.  This was a huge blow that resulted in me having to test our latest device by hand, and I’d like to save someone the headache of trying.

Josh Tuttle

SPK Systems Integration Specialist

Latest White Papers

A Guide to Ensuring CAD Success in Virtual Environments

A Guide to Ensuring CAD Success in Virtual Environments

As the shift to cloud-based CAD increases, businesses are searching for the perfect virtual CAD tool. Discover all about SPK vCAD as well as other virtual CAD options for collaborative design on this eBook.What You Will Learn In this eBook, you will discover: Future...

Related Resources

Fast Answers, Fewer Meetings: Building a Smart Knowledge Culture

Fast Answers, Fewer Meetings: Building a Smart Knowledge Culture

If your day feels like a relay race between status calls and Slack pings, you’re not alone.  Most teams still default to “let’s meet” when they can’t find an answer quickly.  However, the cost of this is real. Slow decisions, fragmented knowledge, and “do-overs”...

The Role of Managed Services in Scaling Engineering Projects

The Role of Managed Services in Scaling Engineering Projects

Introductions Hi everybody. I'm Michael Roberts, Vice President of Sales and Marketing here at SPK and Associates. And today we're discussing a topic that's shaping the future of product development and engineering. And that's the role of managed services and managed...

A Compliance Checklist for an ISO 9001:2015 Audit

A Compliance Checklist for an ISO 9001:2015 Audit

ISO 9001:2015 is the internationally recognized standard for Quality Management Systems (QMS). It helps organizations consistently deliver quality products and services, meet customer expectations, and drive continual improvement. Achieving ISO 9001 certification...