NIST Special Publication 800-53 Revision 5.2.0 report
The NIST Special Publication 800-53 Revision 5.2.0 compliance report helps you assess your web app's security against the security and privacy controls required for U.S. federal information systems.
About NIST Special Publication 800-53
The National Institute of Standards and Technology (NIST) develops standards and guidelines for federal information systems to meet the Federal Information Security Management Act (FISMA). The NIST Special Publication 800-53 provides a catalog of security and privacy controls to protect U.S. federal information systems and assets.
- Determine the security category of their information system (per FIPS 199).
- Apply the appropriate set of baseline security controls from NIST Special Publication 800-53.
- Use a risk assessment to validate the control set and identify any additional controls needed.
AppScan's NIST compliance report helps you detect potential issues in your web application that are relevant to these security controls. The report is based on the HIGH-IMPACT Information Systems baseline. If your organization uses a low or moderate control baseline, you might need to adjust the results accordingly.
Covered information
NIST Special Publication 800-53 provides a catalog of security and privacy controls for information systems and organizations. These controls protect organizational operations, assets, individuals, and other organizations from diverse threats and risks. These risks include hostile attacks, human errors, natural disasters, structural failures, foreign intelligence, and privacy risks.
The controls are flexible, customizable, and implemented as part of an organization-wide risk management process. They address requirements from mission and business needs, laws, regulations, policies, and standards.
Covered entities
- An executive agency.
- A contractor of an executive agency.
- Another organization on behalf of an executive agency.
These guidelines do not apply to national security systems unless approved by the appropriate federal officials. State, local, tribal, and private sector organizations are also encouraged to use these guidelines as appropriate.
Compliance and auditing
- Compliance required by
- Agencies are typically expected to comply with NIST standards and guidelines within one year of the publication date, unless directed otherwise by the Office of Management and Budget (OMB) or NIST.
- Regulators and auditors
- Per FISMA, the OMB requires federal agencies to prepare Plans of Action and Milestones (POA&M) reports for all programs and systems where an IT security weakness is found.
NIST Special Publication 800-53 report vulnerabilities
The following table lists the specific NIST Special Publication 800-53 technical security controls that AppScan Enterprise evaluates. Vulnerabilities found in your app are mapped to these control IDs.
| ID | Name |
|---|---|
| AC-2(2) | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| AC-4 | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
| AC-6 | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
| AC-7.a | Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; |
| AC-10 | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| AC-12 | Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect] |
| AC-17 | a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. |
| CM-7 | a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
| IA-2 | Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| IA-4(1) | Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. |
| IA-5 | Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. |
| RA-5 | a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
| SC-5 | a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. |
| SC-8 | Protect the [Selection (one or-more): confidentiality; integrity] of transmitted information. |
| SC-13 | a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
| SC-23 | Protect the authenticity of communications sessions. |
| SI-3.A | Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. |
| SI-3.B | Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. |
| SI-10 | Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. |
| SI-11.A | Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; |