NIST Special Publication 800-137 for FISMA
This publication (“Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”) has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.
FISMA NIST 800-137 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Web and mobile application security is an important part of FISMA NIST 800-137 compliance process:
“The process for developing an ISCM strategy and implementing an ISCM program is as follows:
- Define an ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
- Establish an ISCM program determining metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
- Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting. Automate collection, analysis, and reporting of data where possible.
- Analyze the data collected and Report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.
- Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
- Review and Update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities, further enable data-driven control of the security of an organization’s information infrastructure, and increase organizational resilience.”
ImmuniWeb® Products for FISMA NIST 800-137 Compliance
Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting FISMA NIST 800-137 with an asset discovery and inventory.
ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.
For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand.
For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.
For most critical applications that directly impact your FISMA NIST 800-137 we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.
All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positive SLA.