US FEDERAL: CCRI Season Lessons Learned
Tis the season for CCRI across the DoD landscape. It seems around this time every year, we start to get a lot of calls and emails concerning best practices for CCRI, STIG/SRG, and Federal Compliance. While we cant really help with things like IAT levels or application configurations, we can provide some lessons learned concerning any BIG-IP in your networks. So, first things first...
What Is a CCRI?
The CCRI is a thorough review of a Department of Defense entity’s cyber-readiness status conducted by DISA. The criteria for the review are based on several key industry standards, including DISA’s Security Technical Implementation Guides (STIGs), and various Chairman of the Joint Chiefs of Staffs Instruction (CJCSI) directives.
Have (and configure) the right Hardware
This comes up all the time. On DoD networks, if you are processing crypto on the BIG-IP, you need to have FIPS 140-2 Key Storage, not just cipher support; e.g. STIG ID SRG-APP-000179-NDM-000265. If you are on DREN, you may have some slack. If you are NOT processing crypto (layer 4 and below traffic only) then you might be ok.
Also, it is not just a checkbox. The ciphers need to be configured in the SSL profiles, and the private keys need to be imported to the HSM.
Baseline the BIG-IP
There are several steps everyone should take to baseline your BIG-IP for security audits in the Federal space. First, the device needs to be on an approved (preferably maintenance) release, meaning 11.5.3 or higher. (Most of the SRGS were written with 12.0 in mind.)
Second, run the NIST SP 800-53r4 iApp. A guide can be located at the following link. https://www.f5.com/pdf/deployment-guides/nist-sp-800-53-r4-dg.pdf
Third, follow the Military Unique Deployment Guide, available from the F5 Federal Account team, or from the UCCO FSO with the Conditions of Fielding. This guide was originally written with 11.6 in mind, but most configurations still apply.
Optional, there is an open source PowerShell script available on GITHUB, which covers many of the items in the MUDG, as well as several additional hardening configurations. This is provided as is, with no support. https://github.com/Mikej81/PowerSRG
Remediate and/or POA&M
Now that the BIG-IP is configured, there may still be some items that come up after or between the current guidance. There is a BIG-IP POA&M Document available from the F5 Federal Account Team, which details False Positives and remediations for findings.
For any new CVE or findings not currently documented, it is possible to use Google to search for "official" guidance from F5 on support.f5.com.
If a SOL does not currently exist for a finding, immediately open up a support case, and contact your F5 Account Team.
The CCRI process can be long, and painful, if you are not properly prepared. Have your devices baselined ahead of time. Reach out to your account team for updated documents or any questions.
A Couple of Notes
The SRGS/STIGS are largely based on TMOS v12, while the MUDGv1.2 is largely based on TMOS 11.X (mostly 11.6). This happened due to timing issues, but we are working on resolving that as soon as we can.
There is no magic wand, yet. The PowerShell script is a big help in most of the tests, but it does not account for everything. If you have an idea, send an email, or offer up some code on github.
And finally, good luck!