Total Tests:
This Week:
Today:

FISMA NIST 800-37 Compliance and Application Security

National Institute of Standards and Technology (NIST) developed Special Publication 800-37 to describe a Risk
Management Framework and its applicability for US federal organizations and their contractors
processing or storing federal information as imposed by FISMA, a US Federal law.

NIST Special Publication 800-37 Revision 2 for FISMA

This publication (“Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”) is intended to help organizations manage security and privacy risk, and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. § 3551et seq., Public Law (P.L.) 113-283.

FISMA NIST 800-37 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Holistic visibility and inventory of digital assets, web and mobile application security are an indispensable part of FISMA NIST 800-37 compliance process:

TASK P-10 ASSET IDENTIFICATION

“Stakeholder assets are identified and prioritized [Cybersecurity Framework: ID.AM]”

TASK P-15 REQUIREMENTS DEFINITION

“Security and privacy requirements are defined and prioritized [Cybersecurity Framework: ID.GV; PR.IP]”

TASK P-18 SYSTEM REGISTRATION

“The system is registered for purposes of management, accountability, coordination, and oversight. [Cybersecurity Framework: ID.GV]”

TASK S-6 PLAN REVIEW AND APPROVAL

“Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.”

TASK A-1 ASSESSOR SELECTION

“An assessor or assessment team is selected to conduct the control assessments. The appropriate level of independence is achieved for the assessor or assessment team selected.”

TASK A-2 ASSESSMENT PLAN

  • “Documentation needed to conduct the assessments is provided to the assessor or assessment team.
  • Security and privacy assessment plans are developed and documented.
  • Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required.”

TASK A-3 CONTROL ASSESSMENTS

  • “Control assessments are conducted in accordance with the security and privacy assessment plans.
  • Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered.
  • Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments.”

TASK A-4 ASSESSMENT REPORTS

“Security and privacy assessment reports that provide findings and recommendations are completed.”

TASK M-1 SYSTEM AND ENVIRONMENT CHANGES

“The information system and environment of operation are monitored in accordance with the continuous monitoring strategy. [Cybersecurity Framework: DE.CM;ID.GV]”

TASK M-2 ONGOING ASSESSMENTS

“Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy. [Cybersecurity Framework: ID.SC-4]”

TASK M-3 ONGOING RISK RESPONSE

“The output of continuous monitoring activities is analyzed and responded to appropriately. [Cybersecurity Framework: RS.AN]”

TASK M-5 SECURITY AND PRIVACY REPORTING

“A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.”

ImmuniWeb® for FISMA NIST 800-37 Compliance

Application security and compliance for FISMA NIST 800-37 starts with holistic visibility of your digital assets, related risks and threats. You simply cannot protect what you don't know. Therefore, we recommend commencing your FISMA NIST 800-37 compliance efforts with IT asset discovery, inventory, classification and risk scoring. Our ImmuniWeb® Discovery leverages OSINT technology to rapidly detect your external web, mobile and cloud assets equipped with attractiveness and hackability scores. Based on our award-winning AI technology, ImmuniWeb Discovery will likewise provide you with a snapshot of your exposure in the Deep and Dark Web. Once completed, you are ready to start well-informed and risk-based application security testing for the purpose of FISMA NIST 800-37 compliance.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

For iOS and Android mobile apps and their backend (e.g. APIs or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Mobile Security Testing Guide (MSTG) and OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Mobile Top 10.

For most critical applications that directly impact your FISMA NIST 800-37 compliance we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code. It is equipped with CVE, CWE reporting and CVSSv3 risk scoring, its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

What’s Next:

Ask a Question