We’re using Big-IP AMI instances within our AWS installation and going before the FedRAMP group for authorization. Our version of the Big-IP software is 15.1.1 and we’ve hardened the devices per https://support.f5.com/csp/article/K53108777. That hardening applies to the application, whereas our scans (Nessus) are showing vulnerabilities at the OS layer.
Guidance from F5 Networks is: Nessus appears to be treating BIG-IP as a standard Linux distribution, which it is not …As long as you are on the latest version of TMOS (currently 15.1.1 is the most recent long term stability release), the system should be resilient to most attacks…Installing 3rd party software or taking remediation steps outside those documented above might result in an unsupported configuration…
Does anyone have experience with the FedRAMP and/or US Government ATO processes who can vouch for the government accepting a response where the OS is NOT being scanned?
I’m not arguing whether they should accept a non-OS-level scan, but hoping to gain feedback from someone who has gone through this process to understand what the government folks are expecting from us. We’re likely doing our scans incorrectly and I would like confirmation on what we should be providing.