Last month, we began addressing some frequently asked Security Content Automation Protocol (SCAP) questions. Now that we have clarified what SCAP is, what it consists of, and how it helps with compliance issues, let’s look at FAQs about how validation and independent testing factor in. What is validation? The SCAP Program is responsible for maintaining established standards and ensuring that validated products comply. Validation is achieved through proving that the testing performed by the laboratory has been carried out correctly. Who does independent testing? Test results for validation are accepted from laboratories that are accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). This accreditation is earned after full review of the laboratories’ Quality Management System (QMS) and passing of the technical proficiency tests. Read More »

Continuous monitoring involves assessing an agency’s information security posture based on changes to risk resulting from new threats or newly discovered vulnerabilities. The National Institute of Standards and Technology’s (NIST) Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800‐37, Revision 1) specifies continuous monitoring as one of the six steps in information security. As agencies begin looking at cloud initiatives, the challenge is implementing a continuous monitoring program that reduces risk and ensures compliance with NIST and other relevant guidance in an environment of decreased control. The solution begins with knowing where compliance ends and risk begins. Read More »

In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management. The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation's first federal physical science research laboratory. In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring). As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP 'Components') are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others. Read More »

A recent New York Times article spells out the issues around federal cloud computing adoption explaining “such high praise for new Internet technologies may be common in Silicon Valley, but it is rare in the federal government, where concerns about security are paramount”. Agencies are notably concerned about losing responsibility for managing and securing data as well as the possibility of cloud outages. However, there are agencies with fewer concerns about security breaches and they have been busy moving user accounts and email services to the cloud environment. For example, the Agriculture Department has already moved about 46,000 employee accounts and is in the process of adding another 120,000. NASA has also made the migration by launching their own internal Nebula cloud computing platform. This platform provides a range of services powerful enough to manage all of NASA’s large-scale scientific data sets. Read More »

In previous blogs we talked about needing to educate the end users and knowing the details of what activity is occurring on your enterprise’s systems. In part 3, we’re going to talk about Compliance and Endpoint Management. Simply speaking, Compliance is setting a policy and how well you adhere to the policy. If a policy is set to only allow passwords longer than 8 characters in your enterprise, Compliance is the measurement of enforcement of that policy. Any deviations or exceptions from the policy are clearly documented and recorded. So why is Compliance important? A well-developed endpoint security policy ensures that common attacks and threats can be mitigated before they happen. By adhering to that policy, you are protected and secure from attacks without any other controls. There are many examples of compliance guidelines like NIST 800-53 and FDCC (Federal Desktop Core Configuration). Read More »

This week SonicWall announced its TZ and NSA product lines achieved the latest in government certification requirements, having earned the Common Criteria (CC) Evaluation Assurance Level 4+ (EAL4+) certification (ISO 15408). The new EAL4+ certification is an addition to the already achieved FIPS140-2 Level 2 certification (see article here). As any federal IT engineer will tell you, having the box checked on government requirements for compliance is critically for government acceptance and implementations. Read More »