While there may be some overlap, I believe SIMP is complimentary to SSG.
I see SSG as a tool to achieve, verify, and report on desired-state of compliance. The
profiles used by SSG have a certain rigidity to them, as they are meant to align with
current guidance from NIST, PCI, DISA, etc. The applied profile(s) to systems within an
environment will likely be very similar, if not identical.
SIMP can apply and achieve a desired-state of function, role, and configuration required
by the system to which it applies, while remaining cognizant of the compliance
requirements. SIMP is also very flexible and modular, with a exponential amount of
combinations of SIMP modules could be applied to an individual system based on its
individual functional requirements.
To use an example of two commonly deployed and complimentary security products in the DoD,
think of SSG like SecurityCenter, and SIMP of ePolicy Orchestrator -- the two have some
overlap, but fundamentally they serve different purposes.
Regards,
--
Paul C. Arnold
________________________________
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[scap-security-guide-bounces(a)lists.fedorahosted.org] on behalf of Gallagher, Michael L
[michael.l.gallagher(a)lmco.com]
Sent: Thursday, July 16, 2015 10:11 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: SIMP
Hello, I would like to hear from the members on the list about how various projects in the
SSG ecosystem relate to the recently disclosed SIMP from the NSA. Obviously, it leverages
the scanning tools that are part of the RHEL distribution. Is it viewed as complimentary
or redundant?
https://github.com/NationalSecurityAgency/SIMP
Mike Gallagher, CISSP, CEH