Federal Government

Protect national security and secure critical government infrastructure from loss of sensitive information.

Security challenges for Federal agencies

The U.S. Federal government is faced with a rising tide of security threats from criminal entities intent on stealing private information gathered, stored, and transmitted by the US federal government. Acquiring and selling unsecured sensitive private information from the Federal government is fueled by a black market interested in purchasing anything from social security numbers to veterans’ information, and the entire spectrum of confidential military intelligence information. Government agencies are required to be increasingly vigilant in protecting data on servers and on portable devices, from enormous databases behind custom applications and industrial control systems, all the way down to laptops.

The total number of records compromised is rising to staggering levels, even under increasing public and Congressional scrutiny. According to a December 2009 report released by the Identity Theft Resource Center (ITRC), the breaches in 2009 have compromised more than 79 million records, whereas fewer than 3 million were hacked in 2008, which represents a staggering 2500% growth in number of individuals who had personal information exposed via our federal government in 2009 (year to date) vs. 2008. The ITRC’s report future underlines the need for government and military organizations to be more vigilant about securing data. The damage that identity theft causes individuals can result in both a financial and emotional burden that drags on for years.

In addition, the loss of reputation and the crippling costs of the legal fallout for those found responsible can be enormous. This holds true whether the data exposure is due to the actions of an external malicious hacker, or due to an internal security policy breakdown. For example, the National Archives and Records Administration (NARA) data exposures in 2009 all involved improper handling of hardware containing 76 million veterans' personal records. Even with this evidence pointing to the need to adopt an integrated security program, Federal agencies continue to struggle to determine what the most cost-effective approach will be in an increasingly complex regulatory environment.

Security standards for Federal agencies

The Federal Information Security Management Act (FISMA) was created to govern the management of information security in the Federal government. FISMA acts as the umbrella legislation for several standards that collectively support the overall FISMA mandate. The standards provide guidance on specific operational, technical and management security controls that should be used to guide the implementation of hands-on security practices and configuration settings. Key security standards for FISMA are detailed in NIST Special Publication 800-53 (simply referred to as NIST SP 800-53), as well as the Federal Information Processing Standards (FIPS), specifically in FIPS 199 and FIPS 200. The Office of Management and Budget (OMB) is responsible for reviewing FISMA audit documentation annually from each covered entity, and reporting its findings to the U.S. Congress. Protecting critical government infrastructures with an on-going vulnerability management program is a necessary prerequisite to ensuring FISMA compliance

How Rapid7 Helps

Rapid7 helps you comply with security controls RA-5 and CA-7 of NIST SP 800-53 v3 in order to achieve FISMA compliance because:

• Nexpose is a certified FDCC and SCAP-compliant vulnerability scanning tool. Nexpose supports interoperability and open standards among tools by using standardized enumerations for platforms, software flaws, and mis-configurations, which paves the way for standardized formatting, transparent, checklists/benchmarks and sharable test procedures. Nexpose provides a standardized way of measuring vulnerability impact by using its native CVSS v2 algorithm for risk scoring. The use of SCAP standards together with the flexible Nexpose API allows Nexpose to communicate with your existing disaster recovery, event management, help desk, and asset management tools. (Security Control RA-5)
• Nexpose scans for vulnerabilities throughout your infrastructure to optimize your network security, Web application security and database security strategies, including within desktop applications and hosted applications. Nexpose then provides both executive summary and detailed remediation reports on vulnerabilities discovered. The Rapid7 Managed Services option provides both external vulnerability scanning and independent validation. (Security Control RA-5)
• Nexpose enables scanning on sensitive Industrial Control System (ICS) networks found in Federal government facilities, as well as in both Healthcare Services and Energy utilities, by using the pre-configured, out-of-the-box Nexpose SCADA Scan Template. Additional control enhancements suggested by NIST include utilizing independent assessors and penetration tests. The Rapid7 Penetration Testing Service will customize a penetration testing package for your needs. Rapid7 Consulting Services also offer full on-site security assessments to provide independent validation of your Red Team’s internal scanning results. (Security Control RA-5)
• Nexpose provides the capability for you to perform scheduled and ad-hoc testing of the effectiveness of your security program by enabling you to use on-going vulnerability scanning as part of an integrated security program. Nexpose generates remediation reports that include vulnerabilities uncovered during vulnerability scans, along with detailed remediation steps. Additional control enhancements suggested by NIST include utilizing independent assessors and penetration tests. The Rapid7 Penetration Testing Service will customize a penetration testing package for your needs. Rapid7 Consulting Services also offer full on-site security assessments to provide independent validation of your Red Team’s internal scanning results. (Security Control CA-7)

With Rapid7 Nexpose, our Professional Services staff can perform independent vulnerability scans, conduct penetration testing and produce the documentation required by retailers to comply with security controls CA-2, SC-7, PE-3, SA-11 and SA-12 of NIST SP 800-53 v3.

These services include:

• Providing penetration testing services, onsite security control assessments, and best practices consulting by providing the required assessment annually (at a minimum). Rapid7 Security Experts also perform Risk assessments, which FISMA defines as being synonymous with vulnerability assessments. (Security Control CA-2)
• Providing penetration testing services to test compliance with the new requirement to ensure that the information system fails securely in the event of an operational failure of a boundary protection device. Additional control enhancements suggested by NIST security control instructs system owners who manage boundary protection devices (e.g., router, firewall, guard, application gateway residing on a protected sub-network commonly referred to as a demilitarized zone) to ensure that a failure of a boundary protection device cannot lead to, or cause information external to the boundary protection device to enter the device, nor can a failure permit unauthorized information release. The Rapid7 Penetration Testing Service will customize a penetration testing package to test boundary conditions. (Security Control SC-7.18)
• Providing penetration testing services, onsite security control assessments, and best practices consulting in compliance with the security controls outlined in PE-3 ‘Physical Access Control’. Additional control enhancements suggested by NIST to increase the effectiveness of this security control include conducting penetration testing that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. The Rapid7 Penetration Testing Service can include Social Engineering penetration testing designed to test physical and human security conditions. (Security Control PE-3.6)
• Providing onsite security control assessments and best practices consulting with the option of Developer Security Best Practices training in order to facilitate the implementation of a verifiable flaw remediation process to correct weaknesses and deficiencies in the software development lifecycle (SDLC) that were identified during the security testing and evaluation process. Additional control enhancements suggested by NIST to increase the effectiveness of this security control include having system developers/integrators perform a vulnerability analysis to document vulnerabilities, exploitation potential, and risk mitigations. The Rapid7 Penetration Testing Service will customize a Security Best Practices, Web Application Assessment, and Training package for your needs. (Security Control SA-11.2)
• Providing penetration testing services in compliance with the security controls outlined in SA-12 ‘Supply Chain Protection’ by conducting independent analysis and penetration testing against delivered information systems, information system components, and information technology products to ensure measures are in place to protect against supply chain threats. (Security Control SA-12)

To learn more about how Rapid7 can help you to meet the key standards and security controls to comply with FISMA requirements, refer to the Rapid7 FISMA Compliance Guide.

Implement cost-effective, risk-based security tools and best practices to protect critical government infrastructures from data breaches. Contact us to find out how Rapid7 can help you implement security controls for FISMA compliance.