White Paper

UnderstandingNIST80037 FISMARequirements

Contents
Overview.................................................................................................................................3 I.TheRoleofNISTinFISMACompliance.................................................................................3 II.NISTRiskManagementFrameworkforFISMA.....................................................................4 III.ApplicationSecurityandFISMA..........................................................................................5 IV.NISTSP80037andFISMA..................................................................................................6 V.HowVeracodeCanHelp......................................................................................................7 VI.NISTSP80037Tasks&VeracodeSolutions.......................................................................8 VII.SummaryandConclusions...............................................................................................10 AboutVeracode....................................................................................................................11
2008Veracode,Inc.

Overview
TheFederalInformationSecurityManagementActof2002("FISMA",44U.S.C. 3541,etseq.)isaUnitedStatesfederallawenactedin2002asTitleIIIoftheE GovernmentActof2002(Pub.L.107347,116Stat.2899).TheActismeantto bolstercomputerandnetworksecuritywithintheFederalGovernmentand affiliatedparties(suchasgovernmentcontractors)bymandatinginformation securitycontrolsandperiodicaudits.

I.TheRoleofNISTinFISMACompliance
TheNationalInstituteofStandardsandTechnology(NIST)ischarteredwithdevelopingandissuing standards,guidelines,andotherpublicationswhichfederalagenciesmustfollowtoimplementFISMA andmanagecosteffectiveprogramstoprotecttheirinformationandinformationsystems.NISTSpecial Publications(SP)800seriescombinedwithNISTsFIPS199andFIPS200createtheriskbased frameworkwhichfederalagenciesusetoassess,select,monitoranddocumentsecuritycontrolsfor theirinformationsystems. NISTstandardsandguidelinesareorganizedasfollows: FederalInformationProcessingStandards(FIPS)aredevelopedbyNISTinaccordancewith FISMA.FIPSareapprovedbytheSecretaryofCommerceandarecompulsoryandbindingfor federalagencies.SinceFISMArequiresthatfederalagenciescomplywiththesestandards, agenciesmaynotwaivetheiruse. GuidancedocumentsandrecommendationsareissuedintheNISTSpecialPublication(SP)800 series.OfficeofManagementandBudget(OMB)policies(includingOMBMemorandumM06 20,FY2006ReportingInstructionsfortheFederalInformationSecurityManagementActand AgencyPrivacyManagement)statethatforotherthannationalsecurityprogramsandsystems, agenciesmustfollowNISTguidance.1 Othersecurityrelatedpublications,includinginteragencyandinternalreports(NISTIRs),and ITLBulletins,providetechnicalandotherinformationaboutNIST'sactivities.Thesepublications aremandatoryonlywhensospecifiedbyOMB.

II.NISTRiskManagementFrameworkforFISMA
NISThascreatedasetofstandardsandguideswhichcreateaRiskManagementFrameworkfor agenciestomanageorganizationalriskinaccordancewithFISMArequirements.Thisframeworksets forthanapproachtosecuritycontrolselectionandspecificationwithconsiderationtoeffectiveness, efficiency,andconstraints.Federalagenciesmustundertakethefollowingstepstomaintainan effectiveinformationsecurityprogram:

Figure1NISTFramework

Step1Definecriticality/sensitivityofinformationsystemaccordingtopotentialimpactofloss Step2Selectbaseline(minimum)securitycontrolstoprotecttheinformationsystem;apply tailoringguidanceasappropriate Step3Useriskassessmentresultstosupplementthetailoredsecuritycontrolbaselineas neededtoensureadequatesecurityandduediligence Step4Documentinthesecurityplan,thesecurityrequirementsfortheinformationsystem andthesecuritycontrolsplannedorinplace Step5Implementsecuritycontrols;applysecurityconfigurationsettings Step6Determinesecuritycontroleffectiveness(i.e.,controlsimplementedcorrectly, operatingasintended,meetingsecurityrequirements) Step7Determinerisktoagencyoperations,agencyassets,orindividualsand,ifacceptable, authorizeinformationsystemoperation Step8Continuouslytrackchangestotheinformationsystemthatmayaffectsecuritycontrols andreassesscontroleffectiveness 4

III.ApplicationSecurityandFISMA
FederalagencieshaveaggressivelymovedtowardsaneGovernmentmodel,adaptingandmigrating paperbasedprocessestoaninternetbasedservicemodel.Asaresult,virtuallyallfederalinformation activityiscontrolledbysoftwareanduniversallyaccessibleviawebapplications.Notsurprisingly, attacksarenowfocusedattheapplicationlayer,withasmuchas75%ofallnewattackstargetedagainst software.Asshowninthefigurebelow,theNationalVulnerabilityDatabaseisreportingover3,400 newsoftwarevulnerabilitiesdisclosedinthefirsthalfof2007alone.

Figure2VulnerabilitiesbySeverity(Source:MicrosoftfromNVDstatistics)

Notonlyisthenumberofvulnerabilitiesincreasing,butperhapsthemostalarmingtrendistheriseof HighSeverityvulnerabilitiesasapercentageofthetotal.Asaresult,auditorsarelookingmoreclosely atcontrolsrelatedtosoftwaresecurityandfederalagenciesmustensurethatsoftwareapplications havebeentestedforvulnerabilitiesthatmaycompromisetheirsystemsinordertoachieveFISMA compliance.

IV.NISTSP80037andFISMA
AspartofitsFISMAresponsibilitytodevelopstandardsandguidanceforfederalagencies,NISTcreated SpecialPublication(SP)80037GuidefortheSecurityCertificationandAccreditationofFederal InformationSystems.ThisguideisanintegralpartoftheNISTRiskManagementFrameworkforFISMA andisusedbyagenciestounderstandrequirementsandimplementtaskspertainingtothecertification, accreditationandcontinuousmonitoringofinformationsystems. TheNISTSP80037certificationandaccreditationprocessconsistsoffourdistinctphasesasshownin Figure3below:

Initiation Phase

Ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan.

Security Certification Phase Security Accreditation Phase Continuous Monitoring Phase

Determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome. Determine if the remaining known vulnerabilities in the information system pose an acceptable level of risk to agency operations, agency assets, or individuals. Provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur.
Figure3NISTSP80037Phases

Oncethereisagreementonthecontentsofthesystemsecurityplanduringtheinitiationphase,the certificationagentcanbegintheassessmentofthesecuritycontrolsintheinformationsystem.The certificationagentisanindividual,group,ororganizationresponsibleforconductingasecurity certification,orcomprehensiveassessmentoftheinformationsystemandtoensurethecreditabilityof theassessmentresultshouldbeanoutsideexpertthatisindependentfromthepersonsdirectly responsibleforthedevelopment,implementationandmanagementoftheinformationsystem. However,securitycertificationdoesnotincludethedeterminationofrisktotheagency.Itisthe securityaccreditationphasewheretheseniormanagementoftheagencyreviewsthefindingsofthe securitycertificationandassessestheriskposedtoagencyoperations,agencyassets,orindividualsto makeadecisionifthesystemshouldbeaccredited.Byaccreditinganinformationsystem,anagency officialacceptsresponsibilityforthesecurityofthesystemandisfullyaccountableforanyadverse impactstotheagencyifabreachofsecurityoccurs. 6

V.HowVeracodeCanHelp
TohelpaddresstheneedsoffederalagenciestoassesstheirapplicationsecurityrisksforFISMA compliance,Veracodehasdesignedthefirstcomplete,automatedapplicationsecuritytestingservice thatincorporatesmultiplevulnerabilityscanningtechnologiesinanintegratedondemandmodel. Basedonitscentralizedondemandplatform,Veracodecandeliverresultsinamatterofhoursacross theentireagencywithouttheneedtopurchaseanyhardware,softwareorhireadditionalconsultants. HowVeracodesSecurityReviewWorks Asaneasytouseondemandservice,allVeracoderequiresfromtheagencytoscansoftware applicationsiseitheraURLofthewebapplication,theapplicationbinaryforinternallydeveloped softwareorthevendorcontactforthirdpartiesthatprovidedsoftwaretotheagency.SinceVeracodes ondemandserviceisbasedonwebscanningandbinaryanalysis,nosourcecodeisrequiredtoconduct thetesting.Resultstotheagencyareavailableinasquicklyas24to72hours,providingdetailed vulnerabilityreportswhichareusedtoprovidedocumentationandevidencefortheagencys informationsecurityprogram.

IndependentReviewwithStandardsBasedRatings Asanexpertinapplicationsecurity,Veracodeisinauniquepositiontoprovideanindependent assessmentandstandardsbasedratingtoensureyourapplicationscomplywithFISMArules.Auditors requireproofthatyourapplicationsarefreefromvulnerabilitiesandtheyneedamethodtoevaluate findingsagainstawellknownindustrybenchmark.Veracode'sRatingsSystemsolvesthisissueby producingasoftwaresecurityratingbasedonrespectedgovernmentstandardsincludingNISTfor definitionsofassurancelevels,MITREsCommonWeaknessEnumeration(CWE)forclassificationof softwareweaknessesandFIRSTsCommonVulnerabilityScoringSystem(CVSS)forseverityandeaseof exploitability.Theseuniversallyacceptedvulnerabilityscoringmethodsprovideauditorsconfidencethat youhaveeffectivesecuritycontrolsinplace.

VI.NISTSP80037Tasks&VeracodeSolutions
NISThasdividedthefourphasesofSP80037intoaseriesoftentaskswhichagenciesusetostreamline theircertificationandaccreditationprocessesandcomplywithFISMA.Whilethesetasksareapplicable toallaspectsofinformationsecurity,Veracodesapplicationsecuritytestingprovidesindependent testingwhichcanbeusedasevidenceanddocumentationtosupportavarietyofNISTSP80037 activities.ThefollowingtableprovidesguidanceonhowVeracodecanbeusedtosupporttasks identifiedbyNISTSP80037:

NIST80037Task

Description
Task1:Preparation

VeracodeSolution

Task1.3ThreatIdentification

Confirmthatpotentialthreats thatcouldexploitinformation systemflawsorweaknesses havebeenidentifiedand documentedinthesystem securityplan,riskassessment,or anequivalentdocument. Confirmthatflawsor weaknessesintheinformation systemthatcouldbeexploited bypotentialthreatsourceshave beenidentifiedanddocumented inthesystemsecurityplan,risk assessment,oranequivalent document. Confirmthattherisktoagency operations,agencyassets,or individualshasbeendetermined anddocumentedinthesystem securityplan,riskassessment,or anequivalentdocument. Task4:SecurityControlAssessment

Veracodesapplicationsecurity testingcanbeusedtoidentify threatsintheagencys applicationinventorywhich couldaffecttheconfidentiality, integrityoravailabilityofthe system. PerNISTsrecommendation, Veracodeprovidesan automatedscanningsolution toidentifyvulnerabilitiesin software.

Task1.4Vulnerability Identification

Task1.6InitialRisk Determination

Veracodecanidentify vulnerabilitiesresultingfrom theabsenceofsecuritywithin softwareapplications.

Task4.1Documentationand SupportingMaterials

Assembleanydocumentation andsupportingmaterials necessaryfortheassessmentof thesecuritycontrolsinthe informationsystem;ifthese documentsincludeprevious assessmentsofsecuritycontrols, reviewthefindings,results,and

Theapplicationsecurityreport providedbyVeracodecanbe usedaspartofthe documentationandsupporting materialsduringthesecurity controlassessment.

NIST80037Task

Description
evidence.

VeracodeSolution

Task4.2Methodsand Procedures

Select,ordevelopwhenneeded, appropriatemethodsand procedurestoassessthe informationsystem. Assessthemanagement, operationalandtechnical securitycontrolsinthe informationsystemusing methodsandprocedures selectedordeveloped. Preparethefinalsecurity assessmentreport.

Veracodesapplicationsecurity testingcanbeusedtoprovidean automatedmethodand procedureforsoftware assessments. Veracodesautomated applicationsecuritytesting providesamethodand procedureforassessingthe technicalsecuritycontrols aroundsoftwareapplications. Veracodesapplicationsecurity reportcanbeprovidedas supportingevidenceaspartof thefinalreport.

Task4.3SecurityAssessment

Task4.4SecurityAssessment Report

Task5:SecurityCertificationDocumentation Task5.1:Findingsand Recommendations Providetheinformationsystem ownerwiththesecurity assessmentreport. Veracodesapplicationsecurity reportcanbeprovidedas supportingevidenceaspartof thefindingsand recommendations. Veracodeprovidesagencieswith arecommendedremediation planwithmilestonesfor improvingthesecurityofthe evaluatedsoftware.

Task5.3:PlanofActionand MilestonesPreparation

Preparetheplanofactionand milestonesbasedontheresults ofthesecurityassessment.

Task8:ConfigurationManagementandControl Task8.2:SecurityImpact Analysis Analyzetheproposedoractual changestotheinformation system(includinghardware, software,firmware,and surroundingenvironment)to determinethesecurityimpactof suchchanges. Task9:SecurityControlMonitoring Task9.2:SelectedSecurity ControlAssessment Assessanagreeduponsetof securitycontrolsinthe informationsystemto UsingVeracodesapplication securitytesting,agencyscan analyzeapplicationsfor 9 Veracodeenablesapplicationsto betestedforsecurity vulnerabilitiespriorto deploymentaspartofachange controlmanagementprocess.

NIST80037Task

Description
determinetheextenttowhich thecontrolsareimplemented correctlyandproducingthe desiredoutcomewithrespectto meetingthesecurity requirements.

VeracodeSolution
vulnerabilitiestodetermineif thecontrolsrelatedtosecuring applicationsfromvulnerabilities arebeingmet.

Task10:StatusReportingandDocumentation Task10.2:PlanofActionand MilestonesUpdate Updatetheplanofactionand milestonesbasedonthe documentedchangestothe informationsystem(including hardware,software,firmware, andsurroundingenvironment) andtheresultsofthe continuousmonitoringprocess. Veracodeprovidesagencieswith arecommendedremediation planwithmilestonesfor improvingthesecurityofthe evaluatedsoftware.

Table1NIST80037TasksMappedtoVeracodeSolutions

VII.SummaryandConclusions
With75%ofallnewattacksagainstsoftwareand90%ofallvulnerabilitiesinsoftware,NISTandFISMA recognizethatfederalagenciesmustplaceastrongemphasisonapplicationsecurity.Federalagencies thatwishtoimprovetheiroverallsecurityalongwiththeirFISMAGradeshouldprepareforthenew threatstargetedattheirapplicationsandpreparethemselveswellinadvanceformorestringent requirementsbyevaluatingtheirsoftwareusingthirdpartyapplicationsecurityserviceproviders.

10

AboutVeracode
Veracodeistheworldsleaderforondemandapplicationsecuritytestingsolutions.Veracode SecurityReviewistheindustrysfirstsolutiontousepatentedbinarycodeanalysisanddynamic webanalysistouniquelyassessanyapplicationsecuritythreats,includingvulnerabilitiessuch ascrosssitescripting(XSS),SQLinjection,bufferoverflowsandmaliciouscode.SecurityReview performstheonlycompleteandindependentsecurityauditacrossanyinternallydeveloped applications,thirdpartycommercialofftheshelfsoftwareandoffshorecodewithoutexposing acompanyssourcecode.Deliveredasanondemandservice,Veracodedeliversthesimplest andmostcosteffectivewaytoimplementsecuritybestpractices,reduceoperationalcostand achieveregulatoryrequirementssuchasPCIcompliancewithoutrequiringanyhardware, softwareortraining. Veracodehasestablishedapositionasthemarketvisionaryandleaderwithawardsthat includerecognitionasaGartnerCoolVendor2008,InfoSecurityProductGuides TomorrowsTechnologyTodayAward2008,InformationSecurityReadersChoiceAward 2008,AlwaysOnNortheast's"Top100PrivateCompany2008",NetworkWorldTop10 SecurityCompanytoWatch2007,andDarkReadingsTop10HotSecurityStartups2007. BasedinBurlington,Mass.,Veracodeisbackedby.406Ventures,AtlasVentureandPolaris VenturePartners.Formoreinformation,visitwww.veracode.com.

11