Also, for those who are working with Red Hat technology, we've been
using the SCAP Security Guide project as the upstream development repo
for our STIGs and security guidance. To date the project has been used
as the upstream source of the JBoss EAP5 NIST guidance, the RHEL6 STIG,
and working on the NSA RHEL6 SNAC Guide. On deck is the first OpenStack
STIG (work begins on that next week, actually!).
1,988 days passed between RHEL5 GA and the RHEL5 STIG, with RHEL6 we cut
this down to 932 through utilizing open source development methods. For
RHEL7 we might actually have a STIG before or *very* slightly delayed
from the general announcement of RHEL 7.0. You mentioned ActiveMQ in
your technologies list, which is part of the Red Hat family. If there is
interest in working together to form an ActiveMQ STIG or NIST Checklist
let me know! It'd be great to identify shared problem spaces within the
Mil-OSS community and begin working on STIGs together.
I'm personally interested in collaborating around Red Hat technologies,
however we're not alone in the 'open sourcing the STIG' mentality. Apple
is performing this work via their SCAP on Apple project:
http://scap-on-apple.macosforge.org/
Within the SCAP Security Guide community we've created a common build
process that can be applied towards other technologies, either within
the SCAP Security Guide umbrella or forked into their own communities.
The SSG has strong RH involvement, but isn't mean to be only for Red Hat
tech!