Acquiring and deploying systems for security and process automation to meet tighter security mandates and reduce the cost of government compliance with Infomagnum Risk Automation Suite
- Can your current methods of monitoring and reporting support Cyber Aux and the latest FISMA requirements?
- Is your IT security team spending too much time demonstrating compliance with an increasing number of Federal IT mandates?
- Has your IT security team struggled to achieve continuous monitoring of 100% of agency desktops as required by OMB?
- Are you keeping pace with mandated requirements for continuous visibility and monitoring across your entire IT environment?
Government Standards and Cyber Aux
The latest Federal Information Security Management Act (FISMA) standards designed to enhance the information security posture of agencies and departments will have a significant impact on the methods and frequency of monitoring and reporting security-related information.
A key component of these standards is Cyber Aux, an interactive information collection tool designed to help agencies fulfill their IT security reporting requirements. With annual, automated FISMA reporting through Cyber Aux having been completed by November 15, 2010 and mandates for automated monthly reporting commencing January 1, 2011, agencies must act quickly.
Best Practices to Support Cyber Aux and FISMA
In order to streamline support for FISMA and facilitate the use of the Cyber Aux portal, systems and processes must be designed to support the “Four A’s:”
- Automated –Move from manual and proprietary integrations to an automated system based on standard, Security Content Automation Protocol (SCAP)-based exchanges that support NIST standards.
- Accurate – Ensure accuracy based upon discovery and SCAP-based audit.
- Asset-centric –Build on an asset-centric data model to support robust reporting, data call, and compliance support as a by-product of security.
- Audit – Audit networks, end points, and operating systems for violations against policies (i.e., FDCC, USGCB, agency-level policies) and Security Technical Implementation Guides (STIGS) to identify vulnerabilities, configuration problems, etc.
New best practices and solutions will allow agencies to meet three objectives:
- Increase productivity through automation
- Integrate information security activities for infrastructure security visibility and compliance
- Adopt regulatory or risk management frameworks with SCAP-validated tools
As a result, agencies can shift millions of dollars now spent producing reports to acquiring automated systems and processes that meet tighter security mandates and ultimately reduce compliance costs.
How Infomagnum Can Help
Infomagnum Risk Automation Suite (SRAS) supports Cyber Aux requirements today and is ideally suited to meet the new and future FISMA mandates. As the leading fully SCAP-validated enterprise class risk management solution, Infomagnum Risk Automation Suite helps agencies improve business processes and enhance enterprise visibility by automatically measuring IT and security compliance – within hours of installation.
Cyber Aux and Automation of Risk Management
Infomagnum has been at the forefront of guiding SCAP standards, and Infomagnum Risk Automation Suite was one of the first three SCAP NIST-validated tools and has received the following NIST SCAP validations:
- Federal Desktop Core Configuration (FDCC) Scanner – Able to audit and assess target systems for FDCC compliance and reporting.
- Authenticated Configuration Scanner – Audits and assesses target systems for compliance with defined configuration requirements.
- Authenticated Vulnerability and Patch Scanner – Able to scan target systems to locate and identify software flaws and evaluate patch status and compliance with patch policy.
- Common Configuration Enumeration (CCE)
- Common Vulnerability Scoring System (CVSS)
Additionally, because the solution is fully integrated with existing third-party and Infomagnum solutions, agencies can benefit from SCAP-based integrations and data sharing while improving their overall return on investment in existing infrastructure tools.
Solution Capabilities for Cyber Aux
- Support for Cyber Aux XML extract in Lightweight Asset Summary Reporting (LASR) format
- Real-time Threat Analysis – Single view into enterprise assets, their vulnerabilities and configurations by systems, component, or agency
- Asset Discovery – Enterprise platform inventory by common platform enumeration (CPE)
- Vulnerability Management – Enterprise vulnerability measurement and reporting by common vulnerabilities and exposures (CVE)
- Closed-loop Remediation Automation – Closed loop integration with remediation and trouble ticketing systems to minimize risk exposures
- Configuration Management – SCAP based audits with exceptions captured by CCE
- Compliance Reporting – Supports Federal compliance and data call requirements as a by-product of security