From: NANOG <nanog-bounces@nanog.org> On Behalf Of Naslund, Steve Sent: Wednesday, October 10, 2018 1:06 PM
If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf (the waiver process is on page 23). If it did not go through that process, then it is not approved not matter what anyone told you. I know your opinion did not make it through that process.
That only applies to RMF systems where DSS is the AO on behalf of the DoD. For anything that falls outside DSS purview you can do whatever the COTR for the Cog is willing to sign off on. Even under RMF, MUSAs and isolated LANs have those requirements tailored out by default. IWANS and UWANS that don't have connectivity to anything but themselves are also NA for the firewall requirements. At the present, contractor systems that don't connect to a USG network aren't required to implement any of the STIGs other than base OS. I don't expect things to stay that way, but I haven't heard anything from DSS to indicate it'll be changing anytime in the near future. It's less difficult than it first appears to get ATO from a technical standpoint (the paperwork hell IA is buried under is an entirely different story, but I'm not them and have no desire to be). Jamie