do you follow nist docs?

[rgula at tenablesecurity.com (Ron Gula)]

Michael Dickey wrote:
> I don't want to usurp Tim's post, but with the mention of NIST, it
> brings up a question I've always had.
>  
> Does anyone truly adhere to and build systems based off NIST docs? I'm
> not talking "inspired by" builds that take a handful of the settings and
> use them, but actually building to the specs such that you can say your
> build guide is NIST? This is a bit of a sanity check for me, as I'm
> skeptical.
>  
> Don't get me wrong, I'm not dissing NIST! They make for great reading!
> (Usually.)

Folks in the DOD and US government surely do. We often get support
requests to update out Nessus audit polices for Oracle and MS SQL
configs within a day or two after DISA releases new content.

As DISA makes more XCCDF content, I also think you will also see more
adoption of those configuration audit settings commercially.

-- 
Ron Gula, CEO
Tenable Network Security