While there may be some overlap, I believe SIMP is complimentary to SSG. I see SSG as a tool to achieve, verify, and report on desired-state of compliance. The profiles used by SSG have a certain rigidity to them, as they are meant to align with current guidance from NIST, PCI, DISA, etc. The applied profile(s) to systems within an environment will likely be very similar, if not identical.
SIMP can apply and achieve a desired-state of function, role, and configuration required by the system to which it applies, while remaining cognizant of the compliance requirements. SIMP is also very flexible and modular, with a exponential amount of combinations of SIMP modules could be applied to an individual system based on its individual functional requirements. To use an example of two commonly deployed and complimentary security products in the DoD, think of SSG like SecurityCenter, and SIMP of ePolicy Orchestrator -- the two have some overlap, but fundamentally they serve different purposes. Regards, -- Paul C. Arnold ________________________________ From: [email protected] [[email protected]] on behalf of Gallagher, Michael L [[email protected]] Sent: Thursday, July 16, 2015 10:11 PM To: [email protected] Subject: SIMP Hello, I would like to hear from the members on the list about how various projects in the SSG ecosystem relate to the recently disclosed SIMP from the NSA. Obviously, it leverages the scanning tools that are part of the RHEL distribution. Is it viewed as complimentary or redundant? https://github.com/NationalSecurityAgency/SIMP Mike Gallagher, CISSP, CEH
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
