Peter Mell and Stephen Quinn Computer Security Division NIST

Slides:



Advertisements
Similar presentations
FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.
Advertisements

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Deploying GMP Applications Scott Fry, Director of Professional Services.
Bill McClanahan – Principal Business Consultant LPS Integration.
Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.
October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
System Center Configuration Manager Push Software By, Teresa Behm.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Security Controls – What Works
© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE Holistic View of the Enterprise Business Development Operations.
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
The State of Security Management By Jim Reavis January 2003.
Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.
Inteco and NIST Cooperation Peter Mell National Vulnerability Database Project Lead Senior Computer Scientist NIST Computer Security Division Tim Grance.
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Information System Continuous Monitoring (ISCM)
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Complying With The Federal Information Security Act (FISMA)
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable.
A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.
Information System Continuous Monitoring (ISCM) FITSP-A Module 7.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Security and Privacy Services Cloud computing point of view October 2012.
Federal IT Security Professional - Auditor
POSITIONING STATEMENT For people who operate shared computers with Genuine Windows XP, the Shared Computer Toolkit is an affordable, integrated, and easy-to-use.
Measuring Compliance with Tenable Security Center
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Automating STIGs: The Transition to CCI and SRG
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 LANL-stor and the Challenges of Evolutionary Development Managing.
0 Office of Performance Assessments and Root Cause Analyses (PARCA) PARCA EVM Update Presenter: Phone:
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Security Checklists for IT Products. Agenda Overview of Checklist Program Discussion of Operational Procedures Current Status Next Steps.
Microsoft Management Seminar Series SMS 2003 Change Management.
Timothy Putprush Baltimore, MD September 30, 2009 Federal Emergency Management Agency (FEMA) Integrated Public Alert and Warning System Presentation to.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Accurate  Consistent  Compliant Contact: i4i the structured content company the structured content company.
FDCC Shelly Bird Architect Microsoft Public Sector Services.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
Security Checklists for IT Products
Overview – SOE PatchTT November 2015.
Day 1 – Conference Presentations
Compliance with hardening standards
Overview – SOE PatchTT December 2013.
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
Matthew Christian Dave Maddox Tim Toennies
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Compliance Toolbox.
CVE.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Vijay Rachamadugu and David Snyder September 7, 2006
IT Management Services Infrastructure Services
Preparing for the Windows 8.1 MCSA
Presentation transcript:

Automating Compliance Checking, Vulnerability Management, and Security Measurement Peter Mell and Stephen Quinn Computer Security Division NIST A DISA, NSA, and NIST Partnership Sponsored by DHS

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Impact Rating or MAC/CONF The Compliance Game Every high level policy should ultimately map to low level settings FISMA HIPAA SOX GLB INTEL COMSEC ‘97 DoD ISO Vendor 3rd Party SP 800-53 ??? ??? ??? DCID NSA Req DoD IA Controls 17799 ??? NSA Guides DISA STIGS & Checklists ??? Guide Guide SP 800-68 Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls Millions of Settings to manage across the Agency High Enterprise Moderate Low SP1 Mobile Stand Alone Windows XP SP2 SSLF OS or Application Version/ Role Major Patch Level Impact Rating or MAC/CONF Environment

FISMA Compliance Model FISMA Legislation High Level, Generalized, Information Security Requirements 30,000 FT 15,000 FT 5,000 FT Ground Zero Federal Information Processing Standards FIPS 199: Information System Security Categorization FIPS 200: Minimum Information Security Requirements Management-level Security Controls Operational-level Security Controls Technical-level Security Controls Information System Security Configuration Settings NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance It is not possible to manually get from 30,000 ft to ground zero, automated security techniques must be employed

The Current Quagmire… Agency must secure system Much of this is implementing and monitoring low level security settings Ensure secure OS/Application installations (e.g., secure images) Vulnerability mitigation/Patch application Security monitoring Insufficient funding available Agency much comply with regulations Higher level security controls Requires low level operational security to be performed but often implemented as a paperwork exercise Consumes large amounts of resources

Finite Set of Possible Known Security Configuration Options & Patches …Looks Like This… Reporting Compliance Environment DISA STIG (Platinum) Mobile User DISA STIG (Gold) 1 to n NIST Special Pub. Enterprise Agency Baseline Configuration NSA Guide Vendor Guide Other Tool Vendor Rec. Finite Set of Possible Known Security Configuration Options & Patches

…Looks Like This. Now Report Compliance Reporting Compliance Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Reporting Compliance Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Now Report Compliance Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment Agency Baseline Configuration DISA STIG (Gold) DISA STIG (Platinum) NIST SP800-68 CIS Benchmark NSA Guide Vendor Guide Mobile User Enterprise Other Environment

A Closer Look At Operations Reporting Compliance What If IT System Deployed Elsewhere? New CIO: Why Not Use the Vendor's Guide? Mobile User Enterprise Other Agency Baseline Configuration DISA Platinum Vendor Guide NIST Special Pub DISA Gold NSA Guide Finite Set of Possible Known Security Configuration Options and Patches

A Closer Look At Operations What Happens When Changes Occur to the Vendor Guide? Mobile User Enterprise Other Agency Baseline Configuration DISA Platinum Vendor Guide NIST Special Pub DISA Gold NSA Guide Finite Set of Possible Known Security Configuration Options and Patches

Security Content Automation Program (SCAP) How Security Automation Helps Mobile User Enterprise Other Agency Baseline Configuration All of the “How To” and “Mapping” Performed Here! Security Content Automation Program (SCAP) DISA Platinum Vendor Guide NIST Special Pub DISA Gold NSA Guide Finite Set of Possible Known Security Configuration Options and Patches

How Does This Work? OVAL SCAP XCCDF XCCDF CVE + CCE Mobile User Enterprise Other Agency Baseline Configuration SCAP XCCDF XCCDF DISA Platinum Vendor Guide NIST Special Pub DISA Gold NSA Guide OVAL CVE + CCE

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Standards Based Automation The Compliance Answer Reduce high level security requirements (e.g., 800-53 controls)? Congress provides more resources? Standards Based Automation

Compliance & Security Problem – Comply with policy. How – Follow recommended guidelines – So many to choose from. Customize to your environment – So many to address. Document your exceptions – I’ve mixed and matched, now what? Ensure someone reads your exceptions – Standardized reporting format. Should be basic: One coin, different sides. If I configure my system to compliance regulation does is mean its secure and vice versa?

Covering the Vulnerability Landscape Vulnerabilities Security Related Software Flaws OS/Application Security Related Misconfigurations Common Configuration Enumeration (CCE) Common Vulnerabilities And Exposures (CVE)

SCAP CONOPS Phase I NSA Red/Blue Database COTS Tools Standard DISA STIGS Vulnerability Management System 6.0 NIST 800-70 SP 800-70 NIST National Vulnerability Database MITRE OVAL Repository Standard OVAL Patches Standardized Scan Criteria in XCCDF/OVAL format Red Hat Participating Vendors NSA Red/Blue Database COTS Tools

Vulnerability Management System 6.0 SCAP CONOPS Phase I DISA Vulnerability Management System 6.0 NIST 800-70 SP 800-70 Software Vendors OS/Application Configuration Requirements Standard Patch and Software Flaw Checks Automated Checking Content COTS Tools

SCAP CONOPS- Phase I (continued…) Security Product Vendors & Point Solution Providers Federal Agencies DoD & Civil Security Compliance Standardized Security Measurement Agency Specified Vulnerability Management FISMA HIPAA SOX GLB INTEL DoD 8500 ISO

High Level Objectives Enable technical control compliance automation Low level vulnerability checks to map to high level compliance requirements Enable standardized vulnerability management Empower security product vendor community to perform on-demand, Government directed security and compliance audits End user organization can specify requirements COTS tools automatically perform checks Enable security measurement FISMA scorecard have a quantitative component that map to actual low level vulnerabilities

Additional Security Content Automation Program Objectives Replace Stove-pipe GOTS Approaches Establish vulnerability management standards Encourage product vendors (i.e. Microsoft, Sun, Oracle, Red Hat etc.) to provide direct support in the form of security guidance/content.

Introductory Benefits Federal Agencies Automation of technical control compliance (FISMA) Ability of agencies to specify how systems are to be secured Ability to measure security using standardized methods COTS Tool Vendors – Vendors compete on quality of tool, not the checking content Provision of an enhanced IT security data repository No cost and license free Standards based: CVE/OVAL/XCCDF/CVSS/CCE Cover both software flaw and configuration issues Elimination of duplication of effort/Cost reduction through standardization

Common FISMA Statements While FISMA compliance is important, it can be complex and demanding. “Can parts of FISMA compliance be streamlined and automated”? “My organization spends more money on compliance than remediation”.

Fundamental FISMA Questions What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? How do I implement the recommended setting for technical controls? Can I use my COTS Product? Am I compliant to NIST Recs & Can I use my COTS Product? Will I be audited against the same criteria I used to secure my systems?

Security Control Monitoring Security Control Selection FISMA Documents SP 800-37 Security Control Monitoring FIPS 200 / SP 800-53 Security Control Selection What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? How do I implement the recommended setting for technical controls? Can I use my COTS Product? SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 System Authorization Am I compliant to NIST Recs & Can I use my COTS Product? Security Control Refinement Will I be audited against the same criteria I used to secure my systems? SP 800-53A / SP 800-26 / SP 800-37 SP 800-18 Security Control Documentation Security Control Implementation SP 800-70 Security Control Assessment

Automation of FISMA Technical Controls COTS Tools What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? NVD How do I implement the recommended setting for technical controls? Can I use my COTS Product? Am I compliant to NIST Recs & Can I use my COTS Product? Will I be audited against the same criteria I used to secure my systems?

Number of Controls with Automated Validation Support Full Automation 21 (13%) Partial Automation 28 (17%) Cyber Security Assessment and Mgmt Full Automation: 31 (19%) Partial Automation: 39 (24%) Security Content Automation Program Machine-readable Security Report Formats Future Automation Techniques 44 (27%) or No Automation Total Controls 163 (100%)

Inside The Numbers Importance/Priority Complexity of Implementation Securely configuring an IT system is of great importance. Complexity of Implementation Provide Common Framework Some controls require system-specific technical knowledge not always available in personnel. Labor Some Controls (i.e. AC-3, CM-6, etc.) require thousands of specific checks to ensure compliance.

On the Schedule * = Some beta content is available Content for Platforms and Applications Under Development * Windows Vista (Profiles: Microsoft, Air Force, NIST) * Windows XP Professional (Profiles: DISA, NSA, NIST/FISMA) * Windows 2003 (Profiles: DISA, NSA, NIST/FISMA, Microsoft) Desktop Applications: IE 6.0, IE 7.0, Netscape, Firefox, Office 2000, Office 2003, Office 2007, Office XP, JVM, Adobe Reader/Acrobat, Flash, .Net Framework. Red Hat Linux (Profiles: Vendor and DISA) Content Scheduled Platforms and Applications Under Development Web Servers IIS 5, IIS 6 * = Some beta content is available

Mappings To Policy & Identifiers FISMA Security Controls (All 17 Families and 163 controls for reporting reasons) DoD IA Controls CCE Identifiers (configuration issues) CVE Identifiers (software flaw issues) CVSS Scoring System (vulnerability impact) DISA Vulnerability Management System Gold Disk NSA References Vendor References etc.

NIST Publications NIST Checklist Publication (Revised Special Publication 800-70) NIST IR – National Security Automation Program NIST IR 7275 – XCCDF version 1.1.2 (Draft Posted)

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Impact Rating or MAC/CONF The Compliance Game Every high level policy should ultimately map to low level settings FISMA HIPAA SOX GLB INTEL COMSEC ‘97 DoD ISO Vendor 3rd Party SP 800-53 ??? ??? ??? DCID NSA Req DISA STIGs 17799 ??? NSA Guides Checklists ??? Guide Guide SP 800-68 Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls Millions of Settings to manage across the Agency High Enterprise Moderate Low SP1 Mobile Stand Alone Windows XP SP2 SSLF OS or Application Version/ Role Major Patch Level Impact Rating or MAC/CONF Environment

XML Made Simple XCCDF - eXtensible Car Care Description Format OVAL – Open Vehicle Assessment Language <Car> <Description> <Year> 1997 </Year> <Make> Ford </Make> <Model> Contour </Model> <Maintenance> <Check1> Gas Cap = On <> <Check2>Oil Level = Full <> </Maintenance> </Description> </Car> <Checks> <Check1> <Location> Side of Car <> <Procedure> Turn <> </Check1> <Check2> <Location> Hood <> </Procedure> … <> </Check2> </Checks>

XCCDF & OVAL Made Simple XCCDF - eXtensible Checklist Configuration Description Format OVAL – Open Vulnerability Assessment Language <Checks> <Check1> <Registry Check> … <> <Value> 8 </Value> </Check1> <Check2> <File Version> … <> <Value> 1.0.12.4 </Value> </Check2> </Checks> <Document ID> NIST SP 800-68 <Date> 04/22/06 </Date> <Version> 1 </Version> <Revision> 2 </Revision> <Platform> Windows XP <Check1> Password >= 8 <> <Check2> FIPS Compliant <> </Maintenance> </Description> </Car>

Application to Automated Compliance The Connected Path 800-53 Security Control Result 800-68 Security Guidance API Call NSAP Produced Security Guidance in XML Format COTS Tool Ingest

Application to Automated Compliance 800-53 Security Control DISA STIG Result RegQueryValue (lpHKey, path, value, sKey, Value, Op); If (Op == ‘>” ) if ((sKey < Value ) return (1); else return (0); AC-7 Unsuccessful Login Attempts 800-68 Security Guidance DISA Checklist NSA Guide API Call AC-7: Account Lockout Duration AC-7: Account Lockout Threshold NSAP Produced Security Guidance in XML Format lpHKey = “HKEY_LOCAL_MACHINE” Path = “Software\Microsoft\Windows\” Value = “5” sKey = “AccountLockoutDuration” Op = “>“ - <registry_test id="wrt-9999" comment=“Account Lockout Duration Set to 5" check="at least 5"> - <object>   <hive>HKEY_LOCAL_MACHINE</hive>   <key>Software\Microsoft\Windows</key>   <name>AccountLockoutDuration</name>   </object> - <data operation="AND">   <value operator=“greater than">5*</value> COTS Tool Ingest

Security Measurement How secure is my computer? Measure security of the configuration Measure conformance to recommended application and OS security settings Measure the presence of security software (firewalls, antivirus…) Measure presence of vulnerabilities (needed patches) How well have I implemented the FISMA requirements (NIST SP800-53 technical controls)? Measure deviation from requirements Measure risk to the agency

Setting Ground Truth/Defining Security For each OS/application FISMA/FIPS 200 List of all known vulnerabilities 800-53 Low Level Checking Specification Required technical security controls Secure Configuration Guidance Security Specifications for Platforms And Application Vulnerabilities Required Configurations Necessary Security Tools

Automated Security Measurement System Definition of What it means to Be Secure FISMA Security Requirements Vulnerability Checking Tools Organizational Impact Rating FIPS 199 Impact to the System Impact to the Agency Deviation from Requirements Impact Scoring System

Configuration Guidance in the Context of 800-53/FIPS 199 800-53, Appendix D specifies security control applicability according to High, Moderate, and Low impact rating of an IT System. 800-68 provides specific configuration information according to environment (Standalone, Enterprise, SSLF, and Legacy) The NIST XML specifies the applicable 800-68 security settings according to the 800-53 guidelines. EXAMPLE: AC-12 (session termination) is applicable for IT systems with either moderate or high impact rating, but not for system rated at a low. The XCCDF profile for High and Moderate systems enables the group for AC-12 rule execution, but disables the group for low system. The XCCDF rules ‘refer’ to the appropriate OVAL definitions in the companion OVAL file (named: WindowsXP-SP800-68.xml)

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Security Content Automation Program (SCAP) Status NIST,DISA,NSA Security Automation Conference September 2006 250+ attendees Keynote addresses by DISA CIAO Richard Hale, DOJ CISO Dennis Heretick, and NSA’s Chief IAD Tony Sager) SCAP Beta Web Site / Repository Deployed on October 20th. http://nvd.nist.gov/scap/scap.cfm

SCAP Tool Vendor Adoption Tool Vendor Adoption of SCAP ThreatGuard (free!!) Secure Elements Tenable Nessus (under development) Asserted Statements of Compliance to SCAP Symantec (not received) McAfee (not received) ASG (received) ManTech (evaluating) CSC (evaluating)

Beta Security Automation Files Available Windows Vista Misconfigurations DISA/NSA/NIST, Microsoft, Air Force policies Windows XP Misconfigurations/Software flaws NIST FISMA and DISA policies (SP 800-68 / Gold Disk) Windows Server 2003 Microsoft and NIST FISMA policies Red Hat Enterprise Linux Software flaws Many more under development!!

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Combining Existing Initiatives DISA STIG & Checklist Content Gold Disk & VMS Research FIRST Common Vulnerability Scoring System (CVSS) MITRE Common Vulnerability Enumeration (CVE) Common Configuration Enumeration (CCE) Open Vulnerability & Assessment Language (OVAL) NIST National Vulnerability Database Checklist Program Security Content Automation Program NSA Extensible Configuration Checklist Description Format (XCCDF) Security Guidance & Content

Existing NIST Products National Vulnerability Database 2.5 million hits per month 16 new vulnerabilities per day Integrated standards: Checklist Program 115 separate guidance documents Covers 140 IT products 244 products 22 vendors 8 vendors 24 products

National Vulnerability Database NVD is a comprehensive cyber security vulnerability database that: Integrates all publicly available U.S. Government vulnerability resources Provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard. XML feed for all CVEs http://nvd.nist.gov

NIST Checklist Program In response to NIST being named in the Cyber Security R&D Act of 2002. Encourage Vendor Development and Maintenance of Security Guidance. Currently Hosts 115 separate guidance documents for over 140 IT products. In English Prose and automation-enabling formats (i.e. .inf files, scripts, etc.) Need to provide configuration data in standard, consumable format. http://checklists.nist.gov

eXtensible Configuration Checklist Description Format Developed by the NSA Designed to support: Information Interchange Document Generation Organizational and Situational Tailoring Automated Compliance Testing and Scoring Published as NIST IR 7275 Foster more widespread application of good security practices http://nvd.nist.gov/scap/xccdf/xccdf.cfm

Involved Organizations Integration IT Security Standards Projects Vendors Press releases From large Security Vendors Forthcoming                                             

Software Flaws/ Patches Configuration Standards Integration Projects We couple patches and configuration checking Software Flaws/ Patches

Questions? Peter Mell (NVD / SCAP) Stephen Quinn (SCAP / NIST Checklist Program) Computer Security Division NIST, Information Technology Laboratory mell@nist.gov, stquinn@nist.gov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.