ForeScout CounterACT is an automated security control platform which helps U.S. Federal agencies comply with the new FISMA requirements including the NIST SP 800-53 and SP 800-37 security guidelines.
The FISMA Regulation
In 2002, the Federal Information Security Management Act (FISMA) was created to govern the management of information security among Federal agencies. Specific FISMA requirements are detailed in NIST Special Publication 800-37 (referred to as NIST SP 800-37), NIST SP 800-53, and the Federal Information Processing Standards (FIPS) publications 199 and 200.
In 2008, NIST formed a defense and intelligence community Joint Task Force (JTF) who published a new Risk Management Framework which substantially increased the requirements within FISMA. In February 2010, NIST published updates to NIST SP 800-53 and NIST SP 800-37 describing the rationale and requirements for continuous monitoring. The publications recommend that agencies deploy automated tools to provide IT managers with actionable information in near real-time to aid in situational awareness.
Per FIPS Publication 200, all Federal agencies are required to adopt changes in NIST security standards “not later than one year from its effective date”. Because these new requirements were developed by the JTF, it is likely that the changes in NIST SP 800-53 and SP 800-37 will shortly be reflected in requirements under the Department of Defense’s DIACAP process and the Director of National Intelligence’s ICD 503.
The newly updated NIST SP 800-37 recognizes that annual security assessments, while important, occur too infrequently to catch and remedy important security issues. So to address this issue, NIST strengthened the requirements for continuous monitoring. NIST SP 800-53 says:
“A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, technologies and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system.”
In another document NIST published in April 2009, NIST outlined several of the important targets for continuous monitoring and automated tools:
“Using automated tools, organizations can identify when the information system is not in compliance with security policy and standards and take remediation actions as necessary. Continuous monitoring identifies undiscovered system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to increased risk.”
The Consensus Audit Guidelines (CAG)
To help Federal agencies more easily understand how to address FISMA and other security regulations, the Consensus Audit Guidelines (CAG) were developed by a consortium of Federal government agencies and private parties including the DOD, DOE, FBI, NIST and the SANS Institute. Detailed information about the CAG is provided here.
The Consensus Audit Guidelines (CAG) provide federal agencies with a prioritized baseline of information security measures and controls to help agencies effectively meet FISMA requirements and its successor, the U.S. Information and Communications Enhancement (ICE) Act of 2009. The guidelines identify 20 specific technology security controls that are effective in blocking currently known and anticipated high-priority attacks. The SANS Institute has published a list of real-world, user-vetted tools which automate one or more of the CAG controls.
ForeScout CounterACT is being used by many government agencies as one of the important continuous control and reporting mechanisms that are mandated by FISMA including the new NIST SP 800-53 and SP 800-37 guidelines. ForeScout CounterACT delivers real-time visibility and control of all devices on the network. CounterACT provides network access control, endpoint compliance, and threat control, all in one automated system.
ForeScout CounterACT is listed by SANS as an effective tool for four different CAG controls. No security vendor provides more coverage than ForeScout CounterACT. The CAG controls which ForeScout CounterACT automates are:
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 9: Controlled Access Based on Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation