Background
With the transition from Rev 4 to Rev 5, many Cloud Services Providers (CSPs) striving towards or maintaining Federal Risk and Authorization Management Program (FedRAMP) authorization are experiencing numerous hurdles when achieving compliance. A primary focal point where these CSPs are experiencing a major GAP is National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control CM-6 Configuration Settings. CM-6 can be defined as establishing and documenting configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements, implementing the documented configuration settings, documenting and defining any deviations from the documented configuration settings, and monitoring controlled changes to approved deviations. This blog post delves deep into the alterations in CM-6 and outlines how a cloud service provider can prepare for this transition effectively.
How a Third Party Assessment Organization (3PAO) Assesses CM-6
During an information system audit, there are numerous ways that a 3PAO will assess CM-6. First, the assessor will analyze the documented configuration settings applied to all hosts applicable to the information system and documented within the asset inventory. Whether they use Center of Information Security (CIS) Benchmarks, Security Technical Implementation Guidelines (STIGs) or in rare occurrences the United States Government Configuration Baseline (USGCB), these guidelines, benchmarks, and baselines serve as a starting point for implementing best practices on hosts within the information system. Normally when a CSP is implementing any type of new system to an environment, whether it’s web servers (Apache, IIS, & NGINX), Active Directory, network devices (Cisco ASA, IOS routers/switches, firewalls, F5 BIG-IP, Palo Alto NGFW, etc.), Exchange servers, database servers (Postgres Advanced, MS SQL Server, Oracle), Docker Enterprise, Java Runtime Environments, Antivirus (Trend Micro DSM & McAfee), VMware hypervisors, and more (Full listing at https://www.stigviewer.com/stigs), they will create the system utilizing a golden image that serves as the template of how all hosts within the environment should be created for consistency and security. The hosts are then checked using USGCB, CIS Benchmarks, or STIGs. The guideline applied is the decision of the CSP, so long as it complies with NIST requirements. Next, the 3PAO will confirm how the CSP is validating their configuration settings. Most CSPs automate these configuration settings as manually applying them is an incredibly large lift that is not scalable and can create security risks.
Furthermore, CM-6(1) which is assessed at the High level requires automated management, application, and verification of these settings. The 3PAO will analyze automated mechanisms and scan tools utilized to monitor configuration settings and review results of processes and reports generated by automated tools. Normally, this is completed via an over-the-shoulder analysis of scans and a review of these scan results. Any failed compliance checks from automated tooling and scanning mechanisms will be annotated as a CM-6 vulnerability.
Finally, the 3PAO will evaluate if there are any deviations within the configuration settings. This means that if there is a particular host with additional configurations or changes on top of the selected guidelines, they need to be documented and maintained by the CSP. All these deviations must be approved by a Change Advisory Board through security review, and all changes to these settings must be tracked and managed via a change control system. The examination of CM-6 during a system audit can be intensive, so it is important to consider the key differences that will come into play with the transition to revision 5.
Key differences between Revision 4 and Revision 5
Revision 4
- CM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establish its own configuration settings if USGCB is not available.
- CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
- CM-6 (a) Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline
Revision 5
- CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;
- CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
- CM-6 Guidance: Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable. During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.
The transition from Revision 4 to Revision 5 creates one primary change with the control requirement. This change is the requirement that CSPs must implement common secure configurations including the USGCB and STIGs. CSPs will only be able to implement CIS benchmarks if it is CIS level 2 benchmarks and there is no STIG available for the relevant system. Furthermore, 3PAOs will be required to annotate vulnerabilities where a direct mapping to another control exists, rather than annotating the vulnerability within CM-6 as a failed compliance check. The specific differences are annotated within the bullets listed above.
DISA STIGs vs. CIS Benchmarks
DISA STIGs are a set of cybersecurity guidelines for secure installation and maintenance of computer systems and software. They are widely used by the U.S. Department of Defense (DoD) and other federal agencies. STIGs provide specific configuration settings for various software applications and operating systems, ensuring compliance with DoD security policies.
All organizations that are part of the DoD Information Networks (DoDIN) are legally and contractually required to comply with STIGs which makes the push to DISA STIGs sound like the option that makes the most sense with the lift to Revision 5. STIG compliance is also a requirement for software and hardware operating on DoD systems and networks. Therefore, vendors whose products are meant for use in the DoDIN should focus on complying with STIG cybersecurity requirements.
CIS Benchmarks are best practices for securing IT systems and data against cyber threats. Unlike DISA STIGS, CIS Benchmarks offer a broader set of guidelines applicable to various platforms, including operating systems, cloud environments, and software applications.
CIS Benchmarks are best practices for securing IT systems and data against cyber threats. Unlike DISA STIGS, CIS Benchmarks offer a broader set of guidelines applicable to various platforms, including operating systems, cloud environments, and software applications. CIS Benchmarks are renowned for their practicality and versatility, making them suitable for a wide range of organizations, including cloud service providers catering to diverse client needs. CIS Benchmarks tie into major regulatory frameworks such as Payment Card Industry (PCI) Data Security Standard (DSS), International Organization for Standardization (ISO) 27001, Health Insurance Portability and Accountability Act (HIPAA), and NIST Cybersecurity Framework (CSF). With many CSPs utilizing their systems for a plethora of clients and having already achieved compliance with multiple frameworks, the uplift to STIGs will be a real challenge that should be attacked as soon as possible.
The standards cover popular infrastructure software and platforms such as VMware, and Cisco. However, there are instances where STIG covers specific systems while CIS doesn’t and vice versa. For example, STIGs do not cover well known cloud infrastructure providers Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Instead, you’ll need to rely on the Defense Information Systems Agency (DISA) Security Requirements Guide (SRG). As many CSPs are utilizing a third-party infrastructure for hardware management, using DISA SRG will be important. Alternately, CIS doesn’t have specific benchmarks for Red Hat JBoss F5 BigIP and IBM Websphere (zip), but you can find STIGs for these environments.
STIGs and CIS benchmarks offer coverage for the most commonly used operating systems and applications, including multiple versions of Windows, MacOS, Microsoft Windows Server, Red Hat Enterprise Linux, Amazon Linux, Ubuntu, and CentOS.
How to Prepare for the Transition
- Comprehensive System Audit: Begin with a thorough audit of your existing systems. Identify the technologies, platforms, and devices in use. Understand the intricacies of each system, noting the specific configuration settings applied. Identify which devices and hosts require changes to configuration settings so they comply with revision 5 and establish a timeline with engineers on implementation.
- Documentation, Scanning Mechanisms, and Reporting Tools: Implement robust documentation and reporting tools that facilitate the meticulous recording of configuration settings. Given the emphasis on continuous monitoring, investing in automation tools is indispensable. Automated configuration management tools can not only ensure that initial configurations are secure, but also detect and remediate failed compliance checks promptly. Be aware, applying DISA STIGs to hosts may require another security tool or change in automation that identifies where components within the environment will need an update.
- Training and Skill Development: Equip your information technology (IT) and security teams with the necessary skills and knowledge. Provide training sessions to familiarize developers, architects, and engineers with the nuances of the revised CM-6 settings.
- Regular Assessments and Updates: The cybersecurity landscape is dynamic. Regular assessments of your configuration settings are vital. Schedule periodic internal reviews as well as any third party audits (when applicable) to confirm compliance with CM-6.
Conclusion
The transition from NIST 800-53 Revision 4 to Revision 5, particularly concerning CM-6 configuration settings, demands a proactive and informed approach from CSPs. By understanding the nuances of the updated guidelines, making appropriate investments, creating an efficient timeline, and continuing compliance with continuous monitoring, you can not only meet the requirements of the revised standards but also bolster your overall cybersecurity posture.
Fortreum is the fastest growing FedRAMP 3PAO in the marketplace and is actively working with clients so they are prepared for the transition to Rev 5. Should you have questions about your transition to Rev 5, please reach out to us at Compliance@fortreum.com or Contact Us at https://fortreum.com/contact/
