It's been a while since I posted anything. For one, we were waiting for the fiscal year to end to see what proposals we would be awarded. Two, after weeks of slowness, I just got back from a big audit. It was interesting because it was as if they did not want us there. We were holed up in a back conference room, our contacts went out of their way to ignore us, and we found lots of different machines/technologies/platforms that we were not expecting. (At least, they didn't tell us about them before we got there.) I know, shocking. I don't know if it is because they don't want to pay for more work, or they are just ignorant about their network. Granted, there was virtually no documentation, and we STILL do not have a network diagram.
While working this contract, we are working on updating our testing process. I don't think it is a secret that DISA is getting out of the business of producing Gold Disks. Personally, I think they want to get out of the tool development process all together. I foresee DISA maintaining the STIGS and requirements, but I do not see them developing tools to test those requirements. To that end, we've been working on how we will test those controls in the future; and we're looking at SCAP-based products. We'll see how this goes.