by Cody Dumont
November 13, 2015
The National Institute of Standards and Technology (NIST) develops many standards that are available to all industries. A common set of standards is the NIST 800-53. For each of the 18 NIST families, a separate report provides the detail discovered during compliance scans. The 18 families are described in NIST Special Publication 800-53 Revision 4. Each family contains security controls related to the general security topic. Each security control was designed to help organizations, both private and public, to select the controls best suited to protect mission critical services. Implementing these controls properly can aid in the defense against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.
The NIST families and controls is not a checklist-type of compliance standard like HIPAA, PCI, or CSF; rather, it is a catalog of controls that are used in achieving compliance with the aforementioned standards. Using this report can assist the organization in understanding how they currently meet various standards. The first chapter is a series of indicator matrices showing management the controls that have been audited. Following the Executive Summary is a chapter for each family that contains bar charts with network summaries and tables providing lists of identified hosts.
These reports cover 18 NIST families currently supported by Tenable audit files, which provide the results of an audit check as one of three severity levels. The informational severity level is considered a pass. The pass is achieved when the configuration setting matches the expected result of the audit check. The match can be a defined value or a range of values. The “Nessus Compliance Checks” document, available in the Tenable Support Portal, contains details on how to edit the audit files. When an audit check fails, the severity is set to high, indicating that the collected result and the expected result do not match. A mismatch may not mean a failure. Each failure should be reviewed and verified to ensure the expected result is correct. If the expected result is not correct, then the audit file should be modified and the scan should be run again. Results assigned a medium severity must be evaluated by an analyst to determine whether or not the results are accurate.
The elements in this report use audit files released after 1 July 2013 that incorporate the reference tag that maps many audit checks to a respective standard. In the case of this report, the audit files must contain a string similar to '800-53|IA-5' on the reference line of the applicable audit check.
For example 'reference: CCE|CCE-8912-8,800-53|IA-5,PCI|8.5.12,800-53|CM-6'
Please note that if you are creating you own filters and reports, the '800-53: IA-5' shown in the example is actually '800-53|IA-5' in the data query.
This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:
- SecurityCenter 4.8.2 or SecurityCenter 5.1
- Nessus 8.4.0
- Audit files containing NIST references
Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Tenable.sc Continuous View (CV) measures compliance in real-time without human intervention. Allowing the organization to identify gaps and lapses are detected and prioritized immediately. With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, Tenable.sc CV provides the best solution for managing compliance with regulations. Tenable provides peace of mind to customers, because Tenable.sc CV detects security and compliance issues before our competitors.
A Report for the following NIST Families is available.
- Access Control: The Access Control family is a series of controls that determine the setting used for limiting access to systems and information stored on the systems. Some of the controls provide guidance on account management and privilege assignments. The guidance provided helps to address the assignment of roles and define business functions. Other settings covered include login time, screen saver requirements, and similar activity-based controls. The guidance for users that require access to system level resources or administrative rights is discussed in the controls. Developers and program managers can use these controls to understand session timeout settings and recommendations of least privilege.
- Awareness and Training: The Awareness and Training control assists with measuring the control and effectiveness of security controls. The metrics provide visibility into how well security controls protect systems and how well users understand the controls in use. As of 2015, there are only few audit checks that measure this control and therefore this content may often be blank.
- Audit and Accountability: The Audit and Accountability family provides the mechanism to record policy violations and related activities. The control provides guidance on log retention policies and configurations. The family also provides information on what data should be retained in each log. Time synchronization is important when performing incident response. Data collected using audit and accountability methods should use a common NTP server, and other guidelines related to timestamps are covered in this family.
- Security Assessment and Authorization: The Security Assessment and Authorization family provides guidance for the effective implementation of security controls and enhancements. Guidance for corrective actions and related milestones are reported in this family. Other information with respect to penetration testing and other internal systems audits are described in this this family.
- Configuration Management: The Configuration Management family focuses on baseline establishment and identifying the minimal software installations. Many of the important details concerning change control and configuration management are described in this family.
- Contingency Planning: The Contingency Planning family contains many of the auditable settings for backup and recovery of systems. The settings include detecting the backup of sensitive data, scheduling backups, and other related settings.
- Identification and Authentication: The Identification and Authentication family primarily focuses on the configuration settings concerned with authentication systems. The controls provide detailed guidance on tracking users employed by the organization, as well as for guests, contractors, shared accounts, and service accounts. Some settings will also validate the configuration of RADIUS, TACACS, and two-factor authentication.
- Incident Response: The Incident Response family identifies auditable settings to support incident response efforts. The controls most often related to this family pertain to log retention settings. Windows computers are known for overwriting event logs, and therefore setting a maximum log size could be beneficial for incident response.
- Maintenance: The Maintenance family provides guidance on how to perform, document, and audit records of maintenance and repairs on information systems. The organization should track the maintenance activities of support personal regardless of the location of equipment and personnel. Guidance that tracks impacted security controls is also discussed in this family.
- Media Protection: The Media Protection family provides information on how to maintain the security of digital media. By offering guidance on how to configure media controls, classification markings, storage policies, and usage, this family can assist an organization in using digital media more securely.
- Physical and Environmental Protection: The Physical and Environmental Protection family provides guidance on physical security requirements. Using logs from digital locks and other physical controls connected to network, the Log Correlation Engine (LCE) can correlate the events, which analysts can monitor for anomalies. Information leakage is also addressed in this family, providing guidance on how to address signal leakage and other electronic communication controls.
- Planning: The Planning family provides guidance on information security architecture and describes the overall philosophy, requirements, and approach organizations take with regard to protecting the confidentiality, integrity, and availability of information. The focus of this family is to illustrate how the security controls and control enhancements meet security requirements, but do not provide detailed technical descriptions of the specific design or implementation of the controls/enhancements. By setting interfaces to a security context with the appropriate controls, the organization can illustrate planning for the required security levels.
- Personnel Security: The Personnel Security family provides guidance on handing personnel-related issues such as termination, promotion, transfer, and other related tasks. The audit checks look for common settings that can assist with these tasks.
- Program Management: The Program Management family provides guidance on facilitating compliance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Additionally, the audits in this family provide a vehicle for the organization to document all of the security controls in a central repository.
- Risk Assessment: The Risk Assessment family provides guidance on the requirements to perform risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the nation based on the operation and use of information systems.• System and Services Acquisition: The System and Services Acquisition family provides guidance on using service-based software such as Telnet, HTTP, and other services. Tenable audit files look for some services that are known to be unauthorized, such as Telnet. However, the organization should review content to ensure authorized services are detected. These settings should be reviewed and customized to meet the local polices for the organization.
- System and Communications Protection: The System and Communications Protection family provides guidance on how to implement protected communications for a system. One aspect is the separation of duties, such as making sure the administrative interface is not part of the regular user interface. Other controls are limiting direct hardware access, memory address space controls, intrusion detection, and other methods of monitoring system resources.
- System and Information Integrity: The System and Information Integrity family provides guidance on monitoring information systems affected by announced software vulnerabilities, email vulnerabilities (spam), error handling, memory protection, output filtering, and many other areas of security. Many of these audit checks will need to be customized and should reviewed by the organization.