RedSeal

FISMA, Continuous Monitoring and Real-Time Risk Management

Complying with newly strengthened NIST 800-53

Summary

In August 2009, NIST released an update to SP 800-53 that represents a major step by US government civilian, defense and intelligence agencies to more effectively manage IT security risks in highly dynamic environments. To achieve the goal of near real-time risk management, this revision substantially increases the requirements for continuous monitoring required under FISMA and other federal security regimes. RedSeal Systems software delivers the continuous, comprehensive and automated security monitoring and risk assessment capabilities needed to comply with these newly strengthened requirements and to achieve “acceptable levels of risk to organizational operations and assets, individuals, other organizations, and the Nation.”¹

Background

After the passage of the Federal Information Security Management Act (FISMA) in 2002, the National Institute of Standards and Technology (NIST) created a series of publications that provide guidance for federal agencies on the implementation, certification and accreditation of federal information system security. As part of an effort to develop a unified information security framework for the entire federal government, NIST’s FISMA activities have been integrated with efforts in the defense and intelligence communities under the Joint Task Force Transformation Initiative Interagency Working Group.

The Joint Task Force’s goal is to provide “the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.”² It promotes the concept of “near real-time risk management” to ensure “that on a real-time basis, senior leaders understand the security state of the information system.”³

To achieve these objectives, in August 2009 NIST released a major revision of Special Publication 800-53 that documents recommended security controls for federal information systems. One of the most notable changes in this revision is a much stricter emphasis on continuous monitoring of security controls. This addresses a common security failing: as changes are made to controls over time, their actual operation can diverge from the design and enterprise policy, thereby opening security holes.

The changes in this update, revision 3, are required for compliance with FISMA (per FIPS Publication 200)⁴. Because this release was developed by the Joint Task Force, one can also expect the changes in SP 800-53 to be reflected in requirements under the Department of Defenses’s DIACAP process and the Director of National Intelligence’s DCID 6/3 directive.

This paper discusses the continuous monitoring changes to NIST SP 800-53 and how RedSeal software enables federal agencies to achieve and maintain compliance with these new requirements.

Requirements for Continuous Monitoring

Even the best security infrastructure can lose effectiveness over time. Because many controls are modified frequently, the security infrastructure is vulnerable to both accidental and malicious changes that can open serious security holes. Annual assessments, while important, occur too infrequently to catch and remedy these security issues. All too often, the first indication of a vulnerability is a successful attack. The updated release of NIST 800-37 recognizes this issue,

“Conducting a thorough point-in-time assessment of the security controls in an organizational information system is a necessary but not sufficient condition to demonstrate security due diligence…The ultimate objective of the continuous monitoring program is to determine if the security controls in an information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates.”⁵

To address this issue, NIST has strengthened the requirements for continuous monitoring in SP 800-53. Historically, the Continuous Monitoring control (CA-7) required, “Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system’s three-year accreditation cycle.”⁶ The updated guidance revises this language to read,

“A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, technologies and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system.”⁷

Many organizations use the combination of an annual assessment and incremental change management as their assurance mechanism for controls. While seemingly reasonable, this approach leaves organizations vulnerable to errors and omissions that are easily overlooked by even the most diligent manual reviews. In the updated framework, NIST cautions against this approach,

“Planning and implementing security configurations and then managing and controlling change is not a guarantee that information systems will remain configured as expected. Using automated tools, organizations can identify when the information system is not in compliance with security policy and standards and take remediation actions as necessary. Continuous monitoring identifies undiscovered system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to increased risk.”⁸

Continuous Monitoring of Network Security

Perhaps no control is more important to monitor continuously than network security. This control, AC-4 in NIST 800-53, comprises the firewalls, routers, gateways and other devices that form the first line of defense around information systems. These devices control access network-wide and so are considered “common controls” whose operation affects security for every information system in an agency. Further, because the rulesets and ACLs of these devices change on a weekly or even daily basis, errors that create risky exposure are frequently introduced. NIST has thus prioritized the monitoring of these controls:

“Priority for control monitoring should be given to the security controls that have the greatest volatility (i.e., greatest potential for change) after implementation, the controls that have the potential to affect the greatest number of information systems (e.g., common security controls), and the controls that have been identified in the organization’s plans of action and milestones for the information systems and supporting infrastructure.” ⁹

RedSeal Network Advisor continuously, comprehensively and automatically monitors network security controls to assure that they are operating as intended. Unlike configuration management systems that audit one device at a time, RedSeal uniquely analyzes how the agency-wide set of network security devices implements security policy in depth. It enables IT organizations to spot inadvertent or malicious exposure in minutes—even the subtle issues that would be missed by auditors. And RedSeal demonstrates solid security practices and results to authorizing officials, IT management and auditors.

• 

  RedSeal continuously monitors network security controls to assure that they effectively enforce policy.

RedSeal Network Advisor offers the following specific capabilities for continuous monitoring of network controls:

• Collects configurations from all network control devices: firewalls, routers and load balancers
• Automatically maps network to validate connectivity
• Identifies security weaknesses in individual devices, such as weak authentication and settings that enable session hijacking
• Comprehensively analyzes how devices combine to permit or deny access between every two points in the infrastructure
• Continuously validates that all permitted network access is authorized by policy
• Supports inter-zone policy validation based on white-lists and black-lists
• Tracks access approvals and justifications
• Alerts security personnel when out-of-policy access is enabled on the network
• Generates comprehensive reports for management and auditors

Real-Time Risk Management

Almost every organization uses vulnerability scanning to automatically identify open ports, vulnerable software and misconfigured services on their information systems. A wide variety of actions can be taken on each vulnerability, ranging from patching it in a normal patch cycle to removing the affected system from operation. To determine the appropriate action, the IT organization and authorizing official must determine the actual risk posed by each vulnerability.

The goal of the Joint Task Force Transformation Initiative is “near real-time risk management.” To determine risk, one must assess:

“the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.” ¹⁰

Both the impact of adverse events and the effect of controls are challenging to evaluate:

• The organizational impact of a vulnerability is much greater than vulnerable system itself. It • also must incorporate the other systems that can be accessed when the original system is compromised. For this reason, an insignificant system that has broad access throughout the agency can have dramatically greater impact than an important system with very limited access. In fact, a commonly successful hacker tactic is to target unimportant (or even forgotten) systems in the DMZ and use them as launching points for attacks much deeper into the agency.
• Analyzing the effect of controls on a vulnerability is quite complex. The most common of these • are network controls (such as firewalls) that restrict access to the system from untrusted sources. Understanding network control effects requires comprehensively analyzing the interaction of the firewall rulesets and router ACLs found in multiple devices along every network path that could provide access to the vulnerability.

Determining the risk of vulnerabilities using manual methods is extraordinarily time-consuming, costly and most likely inaccurate. Vulnerability scanners frequently identify vast numbers of potential vulnerabilities across many information systems. Analyzing the impact of an adverse event and effect of network controls for even a single vulnerability is very complex—Manually evaluating every detected vulnerability is virtually impossible.

RedSeal Vulnerability Advisor automatically determines the risk of each scanner-identified vulnerability by analyzing it in the context of network security controls. To measure the risk, RedSeal evaluates:

• Direct exposure of the vulnerability to untrusted networks
• Indirect exposure of the vulnerability to untrusted networks through other vulnerable hosts
• The potential for a vulnerability to allow an attacker to leapfrog deeper into the network
• The severity of a vulnerability based on the Common Vulnerability Scoring System (CVSS)
• The business value of the vulnerable host
• The business value of other hosts that are attackable from the vulnerable host

This analysis offers IT and agency leadership insight into the true risk presented by each vulnerability. This can be used to prioritize remediation and mitigation efforts, make operating decisions, and demonstrate effective risk management to management and auditors.

• 

  RedSeal identifies risky vulnerabilities that can be attacked from the Internet or extranet.

Conclusion

The federal security guidelines for civilian, defense and intelligence agencies have been overhauled under the Joint Task Force Transformation Initiative to more effectively manage IT risk in today’s highly dynamic computing environments. Under this revision, older methods of annual assessments of critical, rapidly changing controls have been replaced by continuous monitoring and near real-time risk management. RedSeal Systems software delivers the continuous, comprehensive and automated security monitoring and risk assessment capabilities needed to comply with these newly strengthened requirements, enabling federal agencies to achieve “acceptable levels of risk to organizational operations and assets, individuals, other organizations, and the Nation.”

 

¹ NIST SP 800-37, Revision 1, DRAFT Guide for Security Authorization of Federal Information Systems, August 2008, p. 10
² NIST SP 800-37, Revision 1, DRAFT Guide for Security Authorization of Federal Information Systems, August 2008, p. vii
³ NIST SP 800-37, Revision 1, DRAFT Guide for Security Authorization of Federal Information Systems, August 2008, p. xi
⁴ FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, p. 4 note 5
⁵ NIST SP 800-37, Revision 1, DRAFT Guide for Security Authorization of Federal Information Systems, August 2008, p. 28
⁶ NIST SP 800-53, Revision 2, Recommended Security Controls for Federal Information Systems, December 2007, p. F-23
⁷ NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009, p. F-37
⁸ NIST Risk Management Framework Monitor Step FAQs, April 30 2009, p. 12
⁹ NIST SP 800-39, Second Public Draft, Managing Risk from Information Systems, April 2008, p. 43
¹⁰ NIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002, p. 8