In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:

FISMA NIST 800-53 Compliance and Application Security

National Institute of Standards and Technology (NIST) developed Special Publication 800-53 to provide guidelines
for selecting and implementing security controls for US federal organizations and their contractors
processing or storing federal information as imposed by FISMA, a US Federal law.

NIST Special Publication 800-53 Revision 4 for FISMA

This publication (“Security and Privacy Controls for Federal Information Systems and Organizations”) has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.

FISMA NIST 800-53 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Holistic visibility and inventory of digital assets, web and mobile application security are an indispensable part of FISMA NIST 800-53 compliance process:

CA-2 SECURITY ASSESSMENTS

  • “Develops a security assessment plan that describes the scope of the assessment including:
    1. Security controls and control enhancements under assessment;
    2. Assessment procedures to be used to determine security control effectiveness; and
    3. Assessment environment, assessment team, and assessment roles and responsibilities;
  • Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  • Produces a security assessment report that documents the results of the assessment; and
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].”

CA-7 CONTINUOUS MONITORING

“The organization develops a continuous monitoring strategy and implements a continuous monitoring program.”

CA-8 PENETRATION TESTING

“The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.”

CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

  • “Develops and documents an inventory of information system components that:
    1. Accurately reflects the current information system;
    2. Includes all components within the authorization boundary of the information system;
    3. Is at the level of granularity deemed necessary for tracking and reporting; and
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency].”

RA-5 VULNERABILITY SCANNING

  • “Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  • Analyzes vulnerability scan reports and results from security control assessments;”

SA-11 DEVELOPER SECURITY TESTING AND EVALUATION

“The organization requires the developer of the information system, system component, or information system service to:

  • Create and implement a security assessment plan;
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing/evaluation.”

SA-22 UNSUPPORTED SYSTEM COMPONENTS

“The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer.”

SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

“The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.”

SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

“The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.”

SC-38 OPERATIONS SECURITY

“The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle. The Operations Security (OPSEC) process involves five steps:

  • identification of critical information (e.g., the security categorization process);
  • analysis of threats;
  • analysis of vulnerabilities;
  • assessment of risks; and
  • the application of appropriate countermeasures.”

SI-2 FLAW REMEDIATION

“The organization:

  • Identifies, reports, and corrects information system flaws;
  • Yests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
  • Incorporates flaw remediation into the organizational configuration management process.”

SI-4 INFORMATION SYSTEM MONITORING

“The organization:

  • Monitors the information system to detect:
    1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
    2. Unauthorized local, network, and remote connections;
  • Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods].”

SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

“The organization receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis”

SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

“The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].”

PM-5 INFORMATION SYSTEM INVENTORY

“The organization develops and maintains an inventory of its information systems. Supplemental Guidance: This control addresses the inventory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements. For specific information system inventory reporting requirements, organizations consult OMB annual FISMA reporting guidance.”

PM-14 TESTING, TRAINING, AND MONITORING

“The organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems.”

ImmuniWeb® for FISMA NIST 800-53 Compliance

Application security and compliance for FISMA NIST 800-53 starts with holistic visibility of your digital assets, related risks and threats. You simply cannot protect what you don't know. Therefore, we recommend commencing your FISMA NIST 800-53 compliance efforts with IT asset discovery, inventory, classification and risk scoring. Our ImmuniWeb® Discovery leverages OSINT technology to rapidly detect your external web, mobile and cloud assets equipped with attractiveness and hackability scores. Based on our award-winning AI technology, ImmuniWeb Discovery will likewise provide you with a snapshot of your exposure in the Deep and Dark Web. Once completed, you are ready to start well-informed and risk-based application security testing for the purpose of FISMA NIST 800-53 compliance.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

For iOS and Android mobile apps and their backend (e.g. APIs or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Mobile Security Testing Guide (MSTG) and OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Mobile Top 10.

For most critical applications that directly impact your FISMA NIST 800-53 compliance we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code. It is equipped with CVE, CWE reporting and CVSSv3 risk scoring, its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

What’s Next:

DISCLAIMER: The information provided on this website does not, and is not intended to, constitute a legal advice; instead, all information, content, and materials available on this website are provided for general informational purposes only.
View Products Ask a Question