DISA Checklists

I've felt resistance from system administrators regarding the use of DISA checklists to setup IA related products.

I noticed a statement at the beginning of one of the checklists that I think will help me convince them that the checklists are clearly required.

The checklists says,

"1.1      Authority Sites are required to secure the Microsoft Windows Server 2003 operating system in accordance with  DOD Directive 8500.1, Section 4.18 (and related footnote)."

So I looked that up. Here's what I found:

"DoDD 8500.1, Oct. 24, 2002: "4.18. All IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines.1"

The footnote says,

"1 Guidelines are available at http://iase.disa.mil/ and http://www.nsa.gov/"

The required security controls in DoDI 8500.2 should have already provided me with enough material to convince them to use the checklists, but maybe this will reinforce the idea.