Replies: 1 comment 2 replies
-
|
Hi @aport-305 Excellent! Glad you think the tool will work for you! The STIG Manager project itself does not have an ATO, but several organizations have gotten ATOs for their specific deployments. We offer we do offer some guidance in our docs: https://stig-manager.readthedocs.io/en/latest/installation-and-setup/securing.html We also include a partially-completed Application Security and Development STIG .ckl file here, in our repo, that you can import into STIG Manger: https://github.com/NUWCDIVNPT/stig-manager/blob/main/docs/STIG-Manager-OSS.ckl The items that we as developers can answer have been filled out, and for the rest we try to provide some guidance in the comments with a result of "Informational." Also, you can always configure yourself OUT of compliance, so you'd want to validate our answers as well, to make sure they still apply to your deployment. We also offer images on Iron Bank, which does provide container scanning and report artifacts: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! I believe the ironbank reports is exactly what my approving official needs to authorize the use, however all of the reports are in json format. Do you know what tool should be used to convert the reports into a readable format? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @aport-305 They are a little buried, but the |
Beta Was this translation helpful? Give feedback.
-
Greetings,
I recently tested out STIG Manager in my home lab and loved it. I realized we need to be using STIG Manager in my work center, which would streamline the painful task of manually calculating STIG Metrics and eliminate the human error element to a certain degree.
Our approving official does not want to deploy the application without proof of an ATO. Is there an ATO for STIG Manager or some type of vulnerability testing that's done so that I can present the information to get STIG Man approved?
Beta Was this translation helpful? Give feedback.
All reactions