Comment by AnthonyMouse
3 days ago
Getting it written down as a policy goal in formal documents or training materials for mid-level bureaucrats is a mechanism of action for the corruption.
It's a matter of whether it would happen even if nobody was writing a check, and it still seems like the answer is no.
A great case example of this corruption is the following:
AC-2 : Kerberos/LDAP/DNS/Shibboleth CAN suffice, but auditors will absolutely look for Active Directory. Most auditors don't even know how to prove Linux this way.
CM-6 : this is just a roundabout way of saying 'do you support GPOs? '. Sure, Puppet can work, as can on-login bash scripts stored on a Windows AD server. But why use Linux clients when you're already using Windows AD?
Now, nowhere in NIST actually says 'MS Windows'. Its just that the control is worded in such a way that proving it on Windows is easy, and Linux is very hard to impossible to prove.
There was a single exception to vendor agnoticism, and that was the requirement of McAfee security software. I can't find the control offhand, but now its called Trellix.