Automated tools take sweat out of security compliance

 

Connecting state and local government leaders

New automated tools can help agencies get some of the voluminous security configuration data required under the Federal Information Security Management Act. But the tools aren't a cure-all.

When it comes to complying with federal security mandates, chief information security officers contend with a set of arduous tasks that could rival the 12 labors of Hercules.

Under the Federal Information Security Management Act, agencies must file annual reports to Congress that outline their compliance with more than a dozen categories of security controls that span technology, management and operations.

In addition, the Federal Desktop Core Configuration (FDCC), which seeks to secure desktop and laptop PCs that run Microsoft Windows, has an extensive list of required security settings that agencies must track and report on for every computer they operate.

Such reports relay configuration data on hundreds or thousands of devices and can take months to compile.

So it’s no wonder that federal CISOs who responded to an ISC(2) survey earlier this year identified “meeting compliance objectives” as among their top three priorities. One software vendor’s research has found that agencies’ security managers spend anywhere from a quarter to almost half their time on compliance issues.

However, agencies can get some help. The National Institute of Standards and Technology, which writes the FISMA standards, has created the Security Content Automation Protocol to deal with some of the problems of compliance. SCAP targets the security posture of individual devices and can be used to verify patch installation and check a machine’s security configuration settings.

A number of vendors offer SCAP-enabled security monitoring products that can automate and reduce the painstaking effort involved in achieving several aspects of compliance mandates.

However, those products can only go so far. Industry executives say the tools focus mostly on asset-level security and don’t, by themselves, provide a way to tackle the big picture of FISMA compliance. However, NIST and security vendors are working to make SCAP and related tools more broadly applicable.

SCAP makes inroads

The lack of standardized, automated methods for securing software makes the jobs of patching and securely configuring systems labor intensive and prone to error, according to NIST. In addition, vendors have different ways to identify vulnerabilities and platforms, so organizations that use tools from multiple vendors often generate inconsistent reports that can bog down a security assessment.

SCAP is intended to perform those chores in a consistent way. The protocol has found its greatest traction so far in the realm of FDCC compliance testing. For FDCC, the Office of Management and Budget requires agencies to adopt a standard configuration involving about 300 security settings. The idea is to shrink the avenues through which intruders could compromise a government computer. OMB requires agencies to use SCAP tools to verify that their PCs adhere to FDCC settings.

The National Science Foundation has been using SCAP-enabled scanning tools to continuously verify security configurations for more than a year.

“The main benefit of SCAP is that it allows us to determine the level of compliance to FDCC settings with a high degree of accuracy,” said Bill Marsh, an information technology security officer at NSF’s Division of Information Systems.

“FDCC is the most common use case…across the federal government,” said Matthew Scholl, group manager for security management and assurance at NIST’s Computer Security Division.

Organizations with thousands of devices and the need to assess daily changes in their security posture would find compliance reporting difficult without a SCAP tool, said Matt Mosher, senior vice president for the Americas at Lumension Security, which offers SCAP-validated tools.

“If I have no automated tool to assess and report on [FDCC configurations] on a fairly regular basis, there’s no way I can comply,” Mosher said.

In NIST’s SCAP validation program, independent laboratories validate vendors’ products against several SCAP capabilities, one of which focuses on FDCC.

In the case of FDCC scanning, vendors usually offer SCAP features as part of their vulnerability management or governance, risk, and compliance software. About 20 vendors offer validated FDCC scanning capabilities.

SCAP is based on Extensible Markup Language and enables the creation of machine-readable security configuration checklists. The validated tools process SCAP checklists that map to FDCC guidelines and compare the checklists against a given machine’s configuration.

Such tools generally fall into two categories: agent-based and agentless. The first group deploys software agents on the devices to be checked. The agents send reports on the security status of the various machines to server-based software for analysis.

The agentless tools operate in much the same way as a network vulnerability scanner: They seek out devices on a network and check for gaps in their security posture.

Products may work in one mode or the other or support both. Each approach has its pros and cons, said John Bordwine, public-sector chief technology officer at Symantec, which offers the Control Compliance Suite Federal Toolkit as its SCAP tool. The Symantec product offers both modes.

"An agent based system provides much more detail around the endpoint configuration since it is resident to the device,” said Bordwine. “Network based approaches can provide a fairly deep level of detail as well, but this requires some level of administrative access that has to be granted.”

SCAP tools are typically licensed based on the number of assets an organization seeks to evaluate. Prices range from $5 per device to more than $50, depending on the capabilities provided, among other factors, said David Wilson, vice president of product management for Telos’ Xacta IA Manager.

SCAP's limitations

Although SCAP can help agencies track FDCC settings, it is far from a comprehensive compliance strategy.

For example, SCAP-based tools check for compliance at a specified level for a particular setting, but they stumble when a device is set at a higher level than the FDCC requirement.

“If the FDCC setting is ‘medium’ and the NSF setting exceeds that as ‘high,’ the SCAP tool would mark the setting as ‘noncompliant,’ which is not accurate,” Marsh said.

However, the bigger issue for most is SCAP’s usefulness for complying with FISMA.

“FISMA is an overarching set of policies and controls that is really covering all the security aspects of the organization,” Mosher said. “The SCAP tools are one subsection of FISMA.”

Wilson pointed to a gap between SCAP's objectives and FISMA’s objectives. Much of FISMA reporting occurs at the systems level, while SCAP focuses on “the configuration of a single asset, one at a time,” he said.

NIST Special Publication 800-53, which provides recommended security control guidance for complying with FISMA, discusses protection in terms of “information systems” — sets of resources rather than individual devices.

Although SCAP doesn’t address FISMA in its entirety, it can be applied to the recommended technical security measures that support the directive.

“No SCAP content can make you FISMA compliant,” Scholl said. “We do have SCAP content that directly reflects the technical security controls found in SP 800-53.”

For example, NIST has developed checklists that map Windows XP security configuration settings to the high-level security controls in SP 800-53, according to NIST’s guide for adopting SCAP.

In addition, Scholl said organizations can and often do create their own SCAP content that directly reflects their security policies.

Meanwhile, SCAP vendors say they are offering tools to help close the SCAP gap. Wilson said Telos’ Xacta IA Manager can aggregate asset-based configuration data so agencies can draw security conclusions at the systems level.

Bordwine said industry and NIST are also seeking to extend SCAP to operational checks. For example, SP 800-53 calls for security awareness training for information systems’ users. Vendors are exploring ways to search records in a training database and pull out relevant data for compliance reporting, he said.

What's the bottom line for SCAP? Tools that support the protocol can bolster certain aspects of compliance reporting, particularly those related to FDCC. However, the ability to automate broader FISMA duties is still a work in progress.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.