DISA Control Correlation Identifiers and NIST 800-53 Families

Defense Information Systems Agency (DISA) organizations are strictly regulated and must ensure their systems are securely configured and that the systems comply with the applicable security policies.  According to the Information Assurance Support Environment (IASE), who maintains the Control Correlation Identifier (CCI) list, the CCI list provides a standard identifier and description for each of the singular, actionable statements that comprise an Information Assurance (IA) control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively roll up and compare related compliance assessment results across disparate technologies.

In 2014, IASE mapped the CCI list to the NIST 800-53 version 4 families.  The NIST 800-53 maps to administrative and technical controls.  The standards and policy documents are often written using different levels of granularity, which makes compliance reporting and reporting less reliable. The CCI provides a series of technical IA requirements in order to be specific and clear as to the settings that need to be validated to meet compliance. Tenable.sc comes with over 40 audit files that support CCI references, and over 130 audit files with references to NIST 800-53.  This dashboard and the related audit files can be used to monitor the implementation of technical controls outlined in the CCI list.  The operating systems or applications that currently have audit files with support for CCI controls are AIX, Google Chrome Browser, HPUX, MSSQL 2012, Mac OS X, Oracle 11, Oracle Linux, Palo Alto, RHEL, Solaris, and VMware ESXi.

This report was created by identifying all the technical controls in the CCI list that map to the NIST 800-53 version 4 families.  Each of the controls were then grouped into chapters for each respective NIST 800-53 family.

Within each chapter each CCI reference and NIST 800-53 reference has separate bar chart and table to outline the networks and compliance details.  By adding the NIST 800-53 family references, another 180 audit files can be used when assessing an organization’s compliance with the CCI list.  The indicators will only show red for audit checks that have been found to be out of compliance.  Audit checks that are out of compliance need to be reviewed in case the configured check does not align with the policies in place. For example, if the password length policy says 8 – 15 characters is compliant, a configured policy of 25 characters will be marked noncompliant even though the policy is certainly very secure.  Security professionals can download and edit the audit files to match specific policies. 

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessments. The dashboard requirements are:

• Tenable.sc 5.2.0
• Nessus 8.4.0
• Audit Files containing NIST 800-53 or CCI references.

Of the five sensors supported by Tenable products, this dashboard focuses on two: Active Scanning and Agent Scanning.  Active Scanning provides the ability to periodically examine assets to determine their level of risk to the organization and compliance with DISA policies.  Agent Scanning allows the organization to rapidly audit assets that are offline or assets where the need for credentials is not feasible.  Tenable's Tenable.sc supports configuration audits for more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits, allowing for organizations to know their environment is being scanned with the latest technology.

Chapters

Executive Summary - This chapter provides a series of indicator elements to show management which NIST 800-53 controls have failed compliance checks.  There is a separate element for each of subsequent chapters.

Account Management (AC) - This chapter provides two elements for failed audit checks which are members of the Account Management (AC) NIST 800-53 and related Control Correlation Identifiers (CCI). The Access Control (AC) family is a series of controls that determines the settings used for limiting access to systems and information stored on the systems. 

Audit and Accountability (AU) - This chapter provides two elements for failed audit checks which are members of the Audit and Accountability (AU) NIST 800-53 and related Control Correlation Identifiers (CCI). The Audit and Accountability (AU) family provides the mechanism to record policy violations and related activities.

Configuration Management (CM) - This chapter provides two elements for failed audit checks which are members of the Configuration Management (CM) NIST 800-53 and related Control Correlation Identifiers (CCI). The Configuration Management (CM) family focuses on establishing baselines and identifying the minimum software installations.

Identification and Authentication (IA) - This chapter provides two elements for failed audit checks which are members of the Identification and Authentication (IA) NIST 800-53 and related Control Correlation Identifiers (CCI). The audit checks in the Identification and Authentication (IA) family primarily focus on the configuration settings concerned with authentication systems.

System and Communications Protection (SC) - This chapter provides two elements for failed audit checks which are members of the System and Communications Protection (SC) NIST 800-53 and related Control Correlation Identifiers (CCI). The System and Communications Protection (SC) family provides guidance on how to implement protected communications within a system.

System and Information Integrity (SI) - This chapter provides two elements for failed audit checks which are members of the System and Information Integrity (SI) NIST 800-53 and related Control Correlation Identifiers (CCI). The System and Information Integrity (SI) family provides guidance on monitoring information systems affected by announced software vulnerabilities, email vulnerabilities (spam), error handling, memory protection, output filtering, and many other areas of security.