ForeScout | Access Ability

Overview

FISMA Compliance

ForeScout CounterACT is an automated security control platform which helps U.S. Federal agencies comply with the new FISMA requirements including the NIST SP 800-53 and SP 800-37 security guidelines.

The FISMA Regulation

In 2002, the Federal Information Security Management Act (FISMA) was created to govern the management of information security among Federal agencies. Specific FISMA requirements are detailed in NIST Special Publication 800-37 (referred to as NIST SP 800-37), NIST SP 800-53, and the Federal Information Processing Standards (FIPS) publications 199 and 200.

In 2008, NIST formed a defense and intelligence community Joint Task Force (JTF) who published a new Risk Management Framework which substantially increased the requirements within FISMA.   In February 2010, NIST published updates to NIST SP 800-53 and NIST SP 800-37 describing the rationale and requirements for continuous monitoring. The publications recommend that agencies deploy automated tools to provide IT managers with actionable information in near real-time to aid in situational awareness.

Per FIPS Publication 200, all Federal agencies are required to adopt changes in NIST security standards “not later than one year from its effective date”. Because these new requirements were developed by the JTF, it is likely that the changes in NIST SP 800-53 and SP 800-37 will shortly be reflected in requirements under the Department of Defense’s DIACAP process and the Director of National Intelligence’s ICD 503.

The newly updated NIST SP 800-37 recognizes that annual security assessments, while important, occur too infrequently to catch and remedy important security issues. So to address this issue, NIST strengthened the requirements for continuous monitoring. NIST SP 800-53 says:

“A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, technologies and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system.”

In another document NIST published in April 2009, NIST outlined several of the important targets for continuous monitoring and automated tools:

“Using automated tools, organizations can identify when the information system is not in compliance with security policy and standards and take remediation actions as necessary. Continuous monitoring identifies undiscovered system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to increased risk.”

The Consensus Audit Guidelines (CAG)

To help Federal agencies more easily understand how to address FISMA and other security regulations, the Consensus Audit Guidelines (CAG) were developed by a consortium of Federal government agencies and private parties including the DOD, DOE, FBI, NIST and the SANS Institute. Detailed information about the CAG is provided here.

The Consensus Audit Guidelines (CAG) provide federal agencies with a prioritized baseline of information security measures and controls to help agencies effectively meet FISMA requirements and its successor, the U.S. Information and Communications Enhancement (ICE) Act of 2009. The guidelines identify 20 specific technology security controls that are effective in blocking currently known and anticipated high-priority attacks. The SANS Institute has published a list of real-world, user-vetted tools which automate one or more of the CAG controls.

ForeScout’s Solution

ForeScout CounterACT is being used by many government agencies as one of the important continuous control and reporting mechanisms that are mandated by FISMA including the new NIST SP 800-53 and SP 800-37 guidelines. ForeScout CounterACT delivers real-time visibility and control of all devices on the network. CounterACT provides network access control, endpoint compliance, and threat control, all in one automated system.

ForeScout CounterACT is listed by SANS as an effective tool for four different CAG controls. No security vendor provides more coverage than ForeScout CounterACT. The CAG controls which ForeScout CounterACT automates are:

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2:   Inventory of Authorized and Unauthorized Software
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation

Features

To help organizations comply with FISMA, ICE and NIST requirements, ForeScout CounterACT includes the following capabilities:

• Visibility. ForeScout CounterACT provides a continuous inventory of everything on a network–managed or unmanaged, wired or wireless, authorized or unauthorized, hardware or software. Unlike products which require pre-installation of agents on endpoint devices, ForeScout CounterACT provides visibility in real-time without agents or any prior device knowledge.
• Network Access Control. ForeScout CounterACT provides continuous network access control based on pre-defined security policies. It has the ability to enforce highly granular security policies limiting access by user, location, network segment, endpoint configuration, etc.
• Configuration Management. ForeScout CounterACT allows IT managers to continuously monitor endpoint systems’ configuration status. Automated alarms inform IT managers whenever endpoint configurations deviate from the configuration baseline.
• Vulnerability Assessment. ForeScout CounterACT provides a built-in vulnerability assessment scanner which identifies known vulnerabilities in real-time.
• Enforce Policy Compliance.ForeScout CounterACT centrally manages, monitors, and enforces policies related to network access and endpoint security posture.   It will detect whether endpoint security agents–such as antivirus, encryption, data loss prevention, and patch management–are deployed and working on all managed endpoints.
• Reporting.   ForeScout CounterACT includes dashboards, alarms and automated reports. Real time information ensures security personnel have visibility and situational awareness.   Auditors can use asset inventory reports to speed the auditing process.

Benefits

Save money

• Effective on four CAG controls. No other security product matches the breadth of ForeScout CounterACT which is a effective tool for four different CAG controls.   Why buy more tools when one is sufficient?
• Reduce IT support costs. Large organizations have reported help-desk savings of up to $1 million per year with ForeScout CounterACT.

Save time

• ForeScout CounterACT includes automated reporting with realtime information. Audit reports that used to take days can now be done in hours.

Improve security

• Reduce risk of data loss by ensuring that encryption and DLP agents are running, users are not running unauthorized applications or peripheral devices (e.g. USB memory sticks), unauthorized users are not on your network, and rogue devices (e.g. wireless access points) are not connected to your network.
• Reduce risk of infection by ensuring that antivirus is properly updated and vulnerabilities are patched.

Painless deployment

• ForeScout CounterACT is a simple appliance that installs out-of-band on your network.   It requires no software installation. Installation can be completed in one afternoon, full operation including policy enforcement in a matter of days.

Real-time, continuous monitoring and control

• ForeScout CounterACT monitors and controls everything on the network continuously, in realtime. This is of major importance to comply with the new FISMA regulations, because   NIST SP 800-53 specifically calls for continuous monitoring.

Comprehensive coverage

• Unlike agent-based security controls which are effective only on devices owned and managed by your organization, ForeScout CounterACT is effective on all network devices – including printers, switches, wireless access points, personal laptops, smartphones, tablet computers, etc.   This saves time and money compared to piecemeal solutions.