Comment by AnthonyMouse
3 days ago
> Its to prop up American businesses, and as a form of corporate welfare.
You say that like it's an actual policy goal. You don't think it's because those companies donate to the campaigns of the politicians doing it? It's corruption.
> You say that like it's an actual policy goal.
I do. There's reasons for that from previous employment that would indicate that as a policy goal.
Red Hat is also technically accepted by US Gov. Technically. But you need to use? They're bypassing all sorts of security shit with ongoing POAMs and doing their own thing.
And yes, I would agree that its corruption as well.
Getting it written down as a policy goal in formal documents or training materials for mid-level bureaucrats is a mechanism of action for the corruption.
It's a matter of whether it would happen even if nobody was writing a check, and it still seems like the answer is no.
A great case example of this corruption is the following:
AC-2 : Kerberos/LDAP/DNS/Shibboleth CAN suffice, but auditors will absolutely look for Active Directory. Most auditors don't even know how to prove Linux this way.
CM-6 : this is just a roundabout way of saying 'do you support GPOs? '. Sure, Puppet can work, as can on-login bash scripts stored on a Windows AD server. But why use Linux clients when you're already using Windows AD?
Now, nowhere in NIST actually says 'MS Windows'. Its just that the control is worded in such a way that proving it on Windows is easy, and Linux is very hard to impossible to prove.
There was a single exception to vendor agnoticism, and that was the requirement of McAfee security software. I can't find the control offhand, but now its called Trellix.