nistonomicon

NISTonomicon

A NIST 800-53 Security Control Assessment Test Suite

In the United States, all Federal Government information systems are regulated by the Federal Information Security Management Act (FISMA). This law empowers the National Institute for Standards and Technology (NIST) to issue guidance on what security controls should exist on information systems.

Federal agencies require systems to receive an Authority to Operate (ATO) before putting a system into production. An ATO is the final step in NIST's risk management framework. An ATO represents the agency's acceptance of the risk presented in operating the system, after all due diligence has been completed and reasonable controls put in place. It usually takes the form of a signed letter from a high-level agency executive, who serves as the Authorizing Official (AO).

NIST Special Publication (SP) 800-53 Revision 4 lists various control baselines - groupings of both technical and organizational security controls. These control baselines change depending on how the system has been categorized. Implementing, documenting, and assessing these controls on a system of even moderate complexity can be incredibly time consuming and prone to error.

This test suite is a way to structure and automate the assessment of these NIST 800-53 security controls.

TODO

• allow metadata for tests added 12/2015 may need to clean up api...
• Handle multiple inherited security controls added 12/23/2015
• plot inheritance graph
• search other modules
• create gui for scaffolding a inheritable test suite
• Output reports
  • Security Controls Traceability Matrix
  • Dated reports