White Paper. Understanding NIST 800 37 FISMA Requirements



Similar documents
White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

IT Risk Management: Guide to Software Risk Assessments and Audits

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Five Steps to Secure Outsourced Application Development

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Security Controls Assessment for Federal Information Systems

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Your world runs on applications. Secure them with Veracode.

CDM Vulnerability Management (VUL) Capability

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

How To Improve Nasa'S Security

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Office of Inspector General

Security Control Standard

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

External Supplier Control Requirements

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

NASA OFFICE OF INSPECTOR GENERAL

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Information Security for Managers

VA Office of Inspector General

Guide for the Security Certification and Accreditation of Federal Information Systems

FSIS DIRECTIVE

2012 FISMA Executive Summary Report

05.0 Application Development

Final Audit Report -- CAUTION --

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

FISMA Compliance: Making the Grade

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Security Control Standard

United States Patent and Trademark Office

VENDOR MANAGEMENT. General Overview

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

Compliance Risk Management IT Governance Assurance

Audit Report. Management of Naval Reactors' Cyber Security Program

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

POSTAL REGULATORY COMMISSION

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Get Confidence in Mission Security with IV&V Information Assurance

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Office of Inspector General Audit Report

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Dr. Ron Ross National Institute of Standards and Technology

Public Law th Congress An Act

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

CTR System Report FISMA

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

How To Monitor Your Entire It Environment

John Essner, CISO Office of Information Technology State of New Jersey

Audit of the Department of State Information Security Program

Guide for Security-Focused Configuration Management of Information Systems

TITLE III INFORMATION SECURITY

Privacy + Security + Integrity

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Security Control Standard

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

FREQUENTLY ASKED QUESTIONS

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Five Best Practices of Vendor Application Security Management

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

AHS Flaw Remediation Standard

Passing PCI Compliance How to Address the Application Security Mandates

Seven Practical Steps to Delivering More Secure Software. January 2011

NISTIR 7359 Information Security Guide For Government Executives

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Office of Inspector General

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

Defending the Database Techniques and best practices

SANS Top 20 Critical Controls for Effective Cyber Defense

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

Final Audit Report. Report No. 4A-CI-OO

Transcription:

White Paper Understanding NIST 800 37 FISMA Requirements

Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security and FISMA... 5 IV. NIST SP 800 37 and FISMA... 6 V. How Veracode Can Help... 7 VI. NIST SP 800 37 Tasks & Veracode Solutions... 8 VII. Summary and Conclusions... 10 About Veracode... 11 2008 Veracode, Inc. 2

Overview The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E Government Act of 2002 (Pub.L. 107 347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits. I. The Role of NIST in FISMA Compliance The National Institute of Standards and Technology (NIST) is chartered with developing and issuing standards, guidelines, and other publications which federal agencies must follow to implement FISMA and manage cost effective programs to protect their information and information systems. NIST Special Publications (SP) 800 series combined with NIST s FIPS 199 and FIPS 200 create the risk based framework which federal agencies use to assess, select, monitor and document security controls for their information systems. NIST standards and guidelines are organized as follows: Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use. Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800 series. Office of Management and Budget (OMB) policies (including OMB Memorandum M 06 20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management) state that for other than national security programs and systems, agencies must follow NIST guidance.1 Other security related publications, including interagency and internal reports (NISTIRs), and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when so specified by OMB. 3

II. NIST Risk Management Framework for FISMA NIST has created a set of standards and guides which create a Risk Management Framework for agencies to manage organizational risk in accordance with FISMA requirements. This framework sets forth an approach to security control selection and specification with consideration to effectiveness, efficiency, and constraints. Federal agencies must undertake the following steps to maintain an effective information security program: Figure 1 NIST Framework Step 1 Define criticality /sensitivity of information system according to potential impact of loss Step 2 Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate Step 3 Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence Step 4 Document in the security plan, the security requirements for the information system and the security controls planned or in place Step 5 Implement security controls; apply security configuration settings Step 6 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) Step 7 Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation Step 8 Continuously track changes to the information system that may affect security controls and reassess control effectiveness 4

III. Application Security and FISMA Federal agencies have aggressively moved towards an egovernment model, adapting and migrating paper based processes to an internet based service model. As a result, virtually all federal information activity is controlled by software and universally accessible via web applications. Not surprisingly, attacks are now focused at the application layer, with as much as 75% of all new attacks targeted against software. As shown in the figure below, the National Vulnerability Database is reporting over 3,400 new software vulnerabilities disclosed in the first half of 2007 alone. Figure 2 Vulnerabilities by Severity (Source: Microsoft from NVD statistics) Not only is the number of vulnerabilities increasing, but perhaps the most alarming trend is the rise of High Severity vulnerabilities as a percentage of the total. As a result, auditors are looking more closely at controls related to software security and federal agencies must ensure that software applications have been tested for vulnerabilities that may compromise their systems in order to achieve FISMA compliance. 5

IV. NIST SP 800 37 and FISMA As part of its FISMA responsibility to develop standards and guidance for federal agencies, NIST created Special Publication (SP) 800 37 Guide for the Security Certification and Accreditation of Federal Information Systems. This guide is an integral part of the NIST Risk Management Framework for FISMA and is used by agencies to understand requirements and implement tasks pertaining to the certification, accreditation and continuous monitoring of information systems. The NIST SP 800 37 certification and accreditation process consists of four distinct phases as shown in Figure 3 below: Initiation Phase Ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan. Security Certification Phase Determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome. Security Accreditation Phase Determine if the remaining known vulnerabilities in the information system pose an acceptable level of risk to agency operations, agency assets, or individuals. Continuous Monitoring Phase Provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur. Figure 3 NIST SP 800 37 Phases Once there is agreement on the contents of the system security plan during the initiation phase, the certification agent can begin the assessment of the security controls in the information system. The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the information system and to ensure the creditability of the assessment result should be an outside expert that is independent from the persons directly responsible for the development, implementation and management of the information system. However, security certification does not include the determination of risk to the agency. It is the security accreditation phase where the senior management of the agency reviews the findings of the security certification and assesses the risk posed to agency operations, agency assets, or individuals to make a decision if the system should be accredited. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. 6

V. How Veracode Can Help To help address the needs of federal agencies to assess their application security risks for FISMA compliance, Veracode has designed the first complete, automated application security testing service that incorporates multiple vulnerability scanning technologies in an integrated on demand model. Based on its centralized on demand platform, Veracode can deliver results in a matter of hours across the entire agency without the need to purchase any hardware, software or hire additional consultants. How Veracode s SecurityReview Works As an easy to use on demand service, all Veracode requires from the agency to scan software applications is either a URL of the web application, the application binary for internally developed software or the vendor contact for third parties that provided software to the agency. Since Veracode s on demand service is based on web scanning and binary analysis, no source code is required to conduct the testing. Results to the agency are available in as quickly as 24 to 72 hours, providing detailed vulnerability reports which are used to provide documentation and evidence for the agency s information security program. Independent Review with Standards Based Ratings As an expert in application security, Veracode is in a unique position to provide an independent assessment and standards based rating to ensure your applications comply with FISMA rules. Auditors require proof that your applications are free from vulnerabilities and they need a method to evaluate findings against a well known industry benchmark. Veracode's Ratings System solves this issue by producing a software security rating based on respected government standards including NIST for definitions of assurance levels, MITRE s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability. These universally accepted vulnerability scoring methods provide auditors confidence that you have effective security controls in place. 7

VI. NIST SP 800 37 Tasks & Veracode Solutions NIST has divided the four phases of SP 800 37 into a series of ten tasks which agencies use to streamline their certification and accreditation processes and comply with FISMA. While these tasks are applicable to all aspects of information security, Veracode s application security testing provides independent testing which can be used as evidence and documentation to support a variety of NIST SP 800 37 activities. The following table provides guidance on how Veracode can be used to support tasks identified by NIST SP 800 37: NIST 800 37 Task Description Veracode Solution Task 1: Preparation Task 1.3 Threat Identification Task 1.4 Vulnerability Identification Task 1.6 Initial Risk Determination Task 4.1 Documentation and Supporting Materials Confirm that potential threats that could exploit information system flaws or weaknesses have been identified and documented in the system security plan, risk assessment, or an equivalent document. Confirm that flaws or weaknesses in the information system that could be exploited by potential threat sources have been identified and documented in the system security plan, risk assessment, or an equivalent document. Confirm that the risk to agency operations, agency assets, or individuals has been determined and documented in the system security plan, risk assessment, or an equivalent document. Task 4: Security Control Assessment Assemble any documentation and supporting materials necessary for the assessment of the security controls in the information system; if these documents include previous assessments of security controls, review the findings, results, and Veracode s application security testing can be used to identify threats in the agency s application inventory which could affect the confidentiality, integrity or availability of the system. Per NIST s recommendation, Veracode provides an automated scanning solution to identify vulnerabilities in software. Veracode can identify vulnerabilities resulting from the absence of security within software applications. The application security report provided by Veracode can be used as part of the documentation and supporting materials during the security control assessment. 8

NIST 800 37 Task Description Veracode Solution Task 4.2 Methods and Procedures Task 4.3 Security Assessment Task 4.4 Security Assessment Report Task 5.1: Findings and Recommendations Task 5.3: Plan of Action and Milestones Preparation Task 8.2: Security Impact Analysis Task 9.2: Selected Security Control Assessment evidence. Select, or develop when needed, appropriate methods and procedures to assess the information system. Assess the management, operational and technical security controls in the information system using methods and procedures selected or developed. Prepare the final security assessment report. Task 5: Security Certification Documentation Provide the information system owner with the security assessment report. Prepare the plan of action and milestones based on the results of the security assessment. Task 8: Configuration Management and Control Analyze the proposed or actual changes to the information system (including hardware, software, firmware, and surrounding environment) to determine the security impact of such changes. Task 9: Security Control Monitoring Assess an agreed upon set of security controls in the information system to Veracode s application security testing can be used to provide an automated method and procedure for software assessments. Veracode s automated application security testing provides a method and procedure for assessing the technical security controls around software applications. Veracode s application security report can be provided as supporting evidence as part of the final report. Veracode s application security report can be provided as supporting evidence as part of the findings and recommendations. Veracode provides agencies with a recommended remediation plan with milestones for improving the security of the evaluated software. Veracode enables applications to be tested for security vulnerabilities prior to deployment as part of a change control management process. Using Veracode s application security testing, agency s can analyze applications for 9

NIST 800 37 Task Description Veracode Solution determine the extent to which the controls are implemented correctly and producing the desired outcome with respect to meeting the security requirements. vulnerabilities to determine if the controls related to securing applications from vulnerabilities are being met. Task 10: Status Reporting and Documentation Task 10.2: Plan of Action and Milestones Update Update the plan of action and milestones based on the documented changes to the information system (including hardware, software, firmware, and surrounding environment) and the results of the continuous monitoring process. Veracode provides agencies with a recommended remediation plan with milestones for improving the security of the evaluated software. Table 1 NIST 800 37 Tasks Mapped to Veracode Solutions VII. Summary and Conclusions With 75 % of all new attacks against software and 90 % of all vulnerabilities in software, NIST and FISMA recognize that federal agencies must place a strong emphasis on application security. Federal agencies that wish to improve their overall security along with their FISMA Grade should prepare for the new threats targeted at their applications and prepare themselves well in advance for more stringent requirements by evaluating their software using third party application security service providers. 10

About Veracode Veracode is the world s leader for on demand application security testing solutions. Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third party commercial off the shelf software and offshore code without exposing a company s source code. Delivered as an on demand service, Veracode delivers the simplest and most cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner Cool Vendor 2008, Info Security Product Guide s Tomorrow s Technology Today Award 2008, Information Security Readers Choice Award 2008, AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld Top 10 Security Company to Watch 2007, and Dark Reading s Top 10 Hot Security Startups 2007. Based in Burlington, Mass., Veracode is backed by.406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information