Federal agencies in the USA are bound by FISMA (Federal Information Security Management Act of 2002). Implementation is typically based on NIST 800.53, now in Rev 5. This applies from Federal park ranger booths to NORAD. Finance has Sarbanes-Oxley, Healthcare has HIPPA. All of them have similar sets of controls.
I’ve been engaged in improving IT security engineering and compliance for TLAs (three letter agencies), for decades and it has been an uphill fight, to be sure. Why? because yes…
Security protocols add friction to EVERYTHING, frustrating AF. It’s the challenge of security engineering. Best of intentions, of course, but security tools are nowhere near reliable enough to either install or manage or use. That’s why it’s work.
But in this day and age… I gotta tell ya, my list little list, here is just the tip, not the berg.
Right you are! My bad. Rev 5 has, indeed, reversed guidance on resets and strength. I hope I can get my current outfit to adopt Rev 5 sooner than later. And there’s a new control family in Rev 5 - Supply chain compliance – wherein every vendor in a supply chain might have to substantiate IT security compliance. I have NO idea how THAT can ever be enforceable, but it sounds like trouble in the making.
FWIW, AWS does provide for each of the items in my brainstorming list, though not simple checkboxes in every case. I write JSON/YAML every day to implement security policies for uses and roles. Which speaks to my previous point about the tools being immature. I loathe coding. All my schooling was in graphic design, for Pete’s sake.
Thanks for Dalacor’s, Tut’s and everyones’ perfectly valid observations and opinions, vis-a-vis practical security measures vs. customer benefit.