In our continuing series on penetration testing, we have discussed different approaches to pen testing the benefits of conducting such tests. Here, we will continue by addressing penetration testing as a practice inside one of the most important security frameworks for federal agencies and contractors: NIST 800-53.

While the core documentation of NIST 900-53 contains hundreds of security controls, one dedicated section speaks to the value and best practices of penetration testing. Here, we’ll discuss how penetration testing plays a role in NIST 800-compliance and how you can incorporate it into your compliance strategy. 

What is NIST Special Publication 800-53 and Why Is it Important for My Business?

The federal government uses several standardized security guidelines to drive compliance and IT security across the myriad of agencies and contractors working together. Few of these are as far-reaching and comprehensive as NIST Special Publication 800-53. This publication is required for almost every agency handling sensitive data, and it informs even more specialized compliance frameworks that impact IT system management, risk assessment and cloud platforms. 

Where would you see the implementation, in whole or part, of 800-53? Well, for starters, NIST 800-53 compliance applies, more or less, to every federal agency and contractor. 

Some more specific areas include:

1. Impact levels for major security frameworks: Several regulatory documents, including FedRAMP, rely on defining the “impact level” of the data stored or managed by the organization. These levels can range from a slight impact on operations (Low) to a catastrophic impact on agency operations and individual livelihood (High). Within each designated level, agencies and contractors will be required to implement more complex security controls.
2. Cloud providers: Many agencies are turning to cloud and SaaS providers to give them flexible and scalable services. These providers are governed by specific regulations which are informed by NIST 800-53.
3. Risk management: One of the major changes that occurred during the revision history of NIST 800-58 was the implementation of a six-step Risk Management Framework (RMF) assessment process. This process not only introduced risk as a major focus for organizations achieving compliance under 800-53, but it made risk assessment a primary component with which these organizations would determine controls and control implementation.
4. Transparency and non-governmental use: While NIST 800-53 are 100% required (in one way or another) for federal entities, more and more state, local and private organizations are also using the standard. This is due in part to the emphasis in later revisions on de-emphasizing federal applications. 

This last area of impact is important in that it demonstrates how NIST 800-53 brings common and rigorous security measures and best practices to any organization. 

How Does NIST 800-53 Define Penetration Testing?

One of the primary components of NIST 800-53 is its list of security controls. These controls list different aspects, technical or otherwise, that an organization should implement within a given impact level. Furthermore, these controls are organized into different families, each of which organizes these controls into common, necessary groupings based on their application. Some of these families include the following:

• Access Control
• Audit and Accountability 
• Configuration Management
• Identification and Authentication
• Incident Response
• Program Management
• Personnel Security
• Risk Assessment

And so on. 

One of these families–Assessment, Authorization and Monitoring (CA)–contains a series of controls that covers the planning, implementation and continuous monitoring of policies and security systems. Its focus is on demonstrating an organization’s ability to assess and continually track vulnerabilities as they emerge due to external threats or internal configuration changes. One of the controls, CA-8, speaks directly to penetration testing. 

Under NIST 800-53, organizations (if their responsibilities require it) must conduct penetration at certain intervals and upon specific systems to determine vulnerabilities. 

It’s important to note that penetration testing, under NIST regulations or otherwise, is significantly different from vulnerability scanning. The latter simply identifies vulnerabilities and reports on them, where the former is an active, controlled and simulated attack on IT systems to exploit weaknesses and identify complex vulnerabilities. Scans are not a replacement for pen testing under any circumstance. 

NIST, therefore, articulates a few key points about acceptable penetration testing practices. These points include:

• Utilizing independent pen testing agents: Independent testers provide, according to NIST, impartial testing, and such avoidance of conflict of interest are paramount to proper compliance.
• Red team exercises: A “red team” exercise is slightly different from a penetration test. Penetration tests typically focus on application, network or system-level vulnerabilities to determine risk values inherent in the system. A red team, conversely, focuses on highly specific areas of attack and coordination, and will often focus on the connections between physical, administrative and technical systems. If Penetration testing is a wide net cast to catch vulnerabilities, red teams are a scalpel dismantling complex systems to find deep attack vectors. NIST CA-8 suggests using red team techniques to inform risk and control implementation.
• Facility penetration testing: NIST also requires facility-level penetration testing, including assessment of physical environments including where people access data, data centers and workstations. 

Additionally, the primary language of CA-8 suggests using vulnerability analysis alongside penetration testing so that the former can inform the latter and make it more effective. Additionally, it outlines a basic penetration testing structure that follows some basic steps like the following:

1. Conducting a pretest analysis of the systems to undergo assessment, utilizing full knowledge of system organization and configurations. 
2. Cataloging a pretest set of known and potential vulnerabilities based on the previous analysis. 
3. Designing tests specifically to exploit known and potential vulnerabilities to determine the scope of their exploitability. 
4. Crafting agreements regarding conduct, scope and scale of the penetration test from both testing and tested parties. 
5. Coordinate testing procedures and techniques in ways that correlate with real-world threats and technologies. 
6. Mapping of privacy and security laws that could impact the unauthorized disclosure of data during the test and taking steps to mitigate any unintentional data breach. 

Finally, the practices outlined in CA-8 are closely tied to additional aspects of the CA family and others. These include:

• Control Assessments (CA-2): Utilizing the right teams to assess security controls and their implementation.
• Vulnerability Monitoring and Scanning (RA-5): Conducting vulnerability scans of component controls, systems and applications.
• Physical Access Control (PE-3): Enforcing physical access controls over data access points like workstations, data warehouses and leftover hardware (hard drives, etc.).
• Developer Testing and Evaluation (SA-11): Requiring developers to properly test and evaluate code and remediate security issues with that code before implementation. 

Automate NIST 800-53 Audits with Continuum GRC

NIST 800-53 is one of the most challenging and rigorous attestations around and gaining such attestation can take significant work time. With the Continuum GRC ITAM platform, however, you can transform compliance work using stone-age tools like email and spreadsheets and streamline documentation, scanning and reporting. What once could take months now can, with the right preparation, take only days. 

Ready to Streamline and Empower NIST 800-53 Compliance?

Call 1-888-896-6207 or complete the form below.