FISMA NIST 800-53 Compliance and Application Security

National Institute of Standards and Technology (NIST) developed Special Publication 800-53 to provide guidelines
for selecting and implementing security controls for US federal organizations and their contractors
processing or storing federal information as imposed by FISMA, a US Federal law.

NIST Special Publication 800-53 Revision 4 for FISMA

This publication (“Security and Privacy Controls for Federal Information Systems and Organizations”) has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.

FISMA NIST 800-53 imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Web and mobile application security is an important part of FISMA NIST 800-53 compliance process:

CA-2 SECURITY ASSESSMENTS

  • “Develops a security assessment plan that describes the scope of the assessment including:
    1. Security controls and control enhancements under assessment;
    2. Assessment procedures to be used to determine security control effectiveness; and
    3. Assessment environment, assessment team, and assessment roles and responsibilities;
  • Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
  • Produces a security assessment report that documents the results of the assessment; and
  • Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].”

CA-7 CONTINUOUS MONITORING

“The organization develops a continuous monitoring strategy and implements a continuous monitoring program.”

CA-8 PENETRATION TESTING

“The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.”

CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

  • “Develops and documents an inventory of information system components that:
    1. Accurately reflects the current information system;
    2. Includes all components within the authorization boundary of the information system;
    3. Is at the level of granularity deemed necessary for tracking and reporting; and
  • Reviews and updates the information system component inventory [Assignment: organization-defined frequency].”

RA-5 VULNERABILITY SCANNING

  • “Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  • Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  • Analyzes vulnerability scan reports and results from security control assessments;”

SA-11 DEVELOPER SECURITY TESTING AND EVALUATION

“The organization requires the developer of the information system, system component, or information system service to:

  • Create and implement a security assessment plan;
  • Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
  • Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  • Implement a verifiable flaw remediation process; and
  • Correct flaws identified during security testing/evaluation.”

SA-22 UNSUPPORTED SYSTEM COMPONENTS

“The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer.”

SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

“The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.”

SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

“The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.”

SC-38 OPERATIONS SECURITY

“The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle. The Operations Security (OPSEC) process involves five steps:

  • identification of critical information (e.g., the security categorization process);
  • analysis of threats;
  • analysis of vulnerabilities;
  • assessment of risks; and
  • the application of appropriate countermeasures.”

SI-2 FLAW REMEDIATION

“The organization:

  • Identifies, reports, and corrects information system flaws;
  • Yests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
  • Incorporates flaw remediation into the organizational configuration management process.”

SI-4 INFORMATION SYSTEM MONITORING

“The organization:

  • Monitors the information system to detect:
    1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
    2. Unauthorized local, network, and remote connections;
  • Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods].”

SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

“The organization receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis”

SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

“The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].”

PM-5 INFORMATION SYSTEM INVENTORY

“The organization develops and maintains an inventory of its information systems. Supplemental Guidance: This control addresses the inventory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements. For specific information system inventory reporting requirements, organizations consult OMB annual FISMA reporting guidance.”

PM-14 TESTING, TRAINING, AND MONITORING

“The organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems.”

ImmuniWeb® Products for FISMA NIST 800-53 Compliance

Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting FISMA NIST 800-53 with an asset discovery and inventory.

ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand.

For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.

For most critical applications that directly impact your FISMA NIST 800-53 we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.

All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positive SLA.

Quick Start
Solutions
Get a Demo
Newsletter