FISMA NIST 800-37 Compliance and Application Security

National Institute of Standards and Technology (NIST) developed Special Publication 800-37 to describe a Risk
Management Framework and its applicability for US federal organizations and their contractors
processing or storing federal information as imposed by FISMA, a US Federal law.

NIST Special Publication 800-37 Revision 2 for FISMA

This publication (“Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”) is intended to help organizations manage security and privacy risk, and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. § 3551et seq., Public Law (P.L.) 113-283.

FISMA NIST 800-37 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Web and mobile application security is an important part of FISMA NIST 800-37 compliance process:

TASK P-10 ASSET IDENTIFICATION

“Stakeholder assets are identified and prioritized [Cybersecurity Framework: ID.AM]”

TASK P-15 REQUIREMENTS DEFINITION

“Security and privacy requirements are defined and prioritized [Cybersecurity Framework: ID.GV; PR.IP]”

TASK P-18 SYSTEM REGISTRATION

“The system is registered for purposes of management, accountability, coordination, and oversight. [Cybersecurity Framework: ID.GV]”

TASK S-6 PLAN REVIEW AND APPROVAL

“Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.”

TASK A-1 ASSESSOR SELECTION

“An assessor or assessment team is selected to conduct the control assessments. The appropriate level of independence is achieved for the assessor or assessment team selected.”

TASK A-2 ASSESSMENT PLAN

  • “Documentation needed to conduct the assessments is provided to the assessor or assessment team.
  • Security and privacy assessment plans are developed and documented.
  • Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required.”

TASK A-3 CONTROL ASSESSMENTS

  • “Control assessments are conducted in accordance with the security and privacy assessment plans.
  • Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered.
  • Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments.”

TASK A-4 ASSESSMENT REPORTS

“Security and privacy assessment reports that provide findings and recommendations are completed.”

TASK M-1 SYSTEM AND ENVIRONMENT CHANGES

“The information system and environment of operation are monitored in accordance with the continuous monitoring strategy. [Cybersecurity Framework: DE.CM;ID.GV]”

TASK M-2 ONGOING ASSESSMENTS

“Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy. [Cybersecurity Framework: ID.SC-4]”

TASK M-3 ONGOING RISK RESPONSE

“The output of continuous monitoring activities is analyzed and responded to appropriately. [Cybersecurity Framework: RS.AN]”

TASK M-5 SECURITY AND PRIVACY REPORTING

“A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.”

ImmuniWeb® Products for FISMA NIST 800-37 Compliance

Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting FISMA NIST 800-37 with an asset discovery and inventory.

ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand.

For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.

For most critical applications that directly impact your FISMA NIST 800-37 we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.

All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positive SLA.

Quick Start
Solutions
Get a Demo
Newsletter