Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

DISA Control Correlation Identifiers and NIST 800-53 Families

by Cody Dumont
July 6, 2016

DISA Control Correlation Identifiers and NIST 800-53 Families

Defense Information Systems Agency (DISA) organizations are strictly regulated and must ensure their systems are securely configured and that the systems comply with the applicable security policies.  According to the Information Assurance Support Environment (IASE), who maintains the Control Correlation Identifier (CCI) list, the CCI list provides a standard identifier and description for each of the singular, actionable statements that comprise an Information Assurance (IA) control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively roll up and compare related compliance assessment results across disparate technologies.

In 2014, IASE mapped the CCI list to the NIST 800-53 version 4 families.  The NIST 800-53 maps to administrative and technical controls.  The standards and policy documents are often written using different levels of granularity, which makes compliance reporting and reporting less reliable. The CCI provides a series of technical IA requirements in order to be specific and clear as to the settings that need to be validated to meet compliance.  Tenable.sc comes with over 40 audit files that support CCI references, and over 130 audit files with references to NIST 800-53.  This dashboard and the related audit files can be used to monitor the implementation of technical controls outlined in the CCI list.  The operating systems or applications that currently have audit files with support for CCI controls are AIX, Google Chrome Browser, HPUX, MSSQL 2012, Mac OS X, Oracle 11, Oracle Linux, Palo Alto, RHEL, Solaris, and VMware ESXi.

This dashboard was created by identifying all the technical controls in the CCI list that map to the NIST 800-53 version 4 families.  Each of the controls were then grouped into components for each respective NIST 800-53 family. Each indicator includes CCI references along with NIST 800-53 references.  By adding the NIST 800-53 family references, another 180 audit files can be used when assessing an organization’s compliance with the CCI list.  The indicators will only show red for audit checks that have been found to be out of compliance.  Audit checks that are out of compliance need to be reviewed in case the configured check does not align with the policies in place. For example, if the password length policy says 8 – 15 characters is compliant, a configured policy of 25 characters will be marked noncompliant even though the policy is certainly very secure.  Security professionals can download and edit the audit files to match specific policies. 

The dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessments. The dashboard requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.4.0
  • Audit Files containing NIST 800-53 or CCI references.

Of the five sensors supported by Tenable products, this dashboard focuses on two: Active Scanning and Agent Scanning.  Active Scanning provides the ability to periodically examine assets to determine their level of risk to the organization and compliance with DISA policies.  Agent Scanning allows the organization to rapidly audit assets that are offline or assets where the need for credentials is not feasible.  Tenable's Tenable.sc supports configuration audits for more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure.  Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits, allowing for organizations to know their environment is being scanned with the latest technology.

Components

DISA - Account Management (AC): This matrix provides indicators for failed audit checks which are members of the Account Management (AC) NIST 800-53 and related Control Correlation Identifiers (CCI).The Access Control (AC) family is a series of controls that determines the settings used for limiting access to systems and information stored on the systems.

DISA - Audit and Accountability (AU): This matrix provides indicators for failed audit checks which are members of the Audit and Accountability (AU) NIST 800-53 and related Control Correlation Identifiers (CCI). The Audit and Accountability (AU) family provides the mechanism to record policy violations and related activities.

DISA - Configuration Management (CM): This matrix provides indicators for failed audit checks which are members of the Configuration Management (CM) NIST 800-53 and related Control Correlation Identifiers (CCI). The Configuration Management (CM) family focuses on establishing baselines and identifying the minimum software installations.

DISA - Identification and Authentication (IA): This matrix provides indicators for failed audit checks which are members of the Identification and Authentication (IA) NIST 800-53 and related Control Correlation Identifiers (CCI). The audit checks in the Identification and Authentication (IA) family primarily focus on the configuration settings concerned with authentication systems.

 

DISA - System and Communications Protection (SC): This matrix provides indicators for failed audit checks which are members of the System and Communications Protection (SC) NIST 800-53 and related Control Correlation Identifiers (CCI). The System and Communications Protection (SC) family provides guidance on how to implement protected communications within a system.

 

DISA - System and Information Integrity (SI): This matrix provides indicators for failed audit checks which are members of the System and Information Integrity (SI) NIST 800-53 and related Control Correlation Identifiers (CCI). The System and Information Integrity (SI) family provides guidance on monitoring information systems affected by announced software vulnerabilities, email vulnerabilities (spam), error handling, memory protection, output filtering, and many other areas of security.

 

DISA - Top 50 CCI Audit Results: This component provides a list of the top 50 audit results with a CCI cross-reference present.  The table is sorted based on severity and provides the plugin name, severity, and the number of hosts for which the CCI configuration checks have been detected.  Administrators can review this content for any CCI that may not map to a CCI technical control.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training