NIST Special Publication 800-53 Revision 5 report

This report displays National Institute of Standards and Technology (NIST) issues found on your application. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered violation of the regulation.

Why it matters

NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2002 (FISMA), including minimum requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems. Federal Information Processing Standards (FIPS) are developed by NIST following FISMA. Since FISMA requires that federal agencies comply with these standards, they must do so. Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800 series. Office of Management and Budget (OMB) policies state that for other than national security programs and systems, agencies must follow NIST guidance.

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory, non-waiverable standard developed in response to FISMA. To comply with the federal standard, agencies must first determine the security category of their information system following the provisions of FIPS 199, standards for security categorization of Federal Information Systems, and then apply the appropriate set of baseline security controls in NIST SP 800-53. The Agency's risk assessment validates the security control set by determining if any additional controls are needed to protect agency operations, agency assets, or individuals. The resulting set of security controls establishes a level of "security due diligence" for federal agencies and their contractors.

Agencies are expected to comply with NIST security standards and guidelines within one year of the publication date unless otherwise directed by OMB or NIST. (The one-year compliance date for revisions to NIST SP applies only to new and/or updated material.)
Table 1. Issues detected across 14/20 sections of the regulation:
Control Number Control
AC-2(2) Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
AC-4 Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
AC-6 Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-7 a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]
AC-10 Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
AC-12 Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]
AC-17 a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

b. Authorize each type of remote access to the system prior to allowing such connections.
CM-7 a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and

b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
IA-2 Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-4(1) Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.
IA-5 Manage system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

b. Establishing initial authenticator content for any authenticators issued by the organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

e. Changing default authenticators prior to first use;

f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;

g. Protecting authenticator content from unauthorized disclosure and modification;

h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

i. Changing authenticators for group or role accounts when membership to those accounts changes.
RA-5 a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;

b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

  1. Enumerating platforms, software flaws, and improper configurations;
  2. Formatting checklists and test procedures; and
  3. Measuring vulnerability impact;

c. Analyze vulnerability scan reports and results from vulnerability monitoring;

d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;

e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and

f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SC-5 a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and

b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
SC-8 Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.
SC-13 a. Determine the [Assignment: organization-defined cryptographic uses]; and

b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].
SC-23 Protect the authenticity of communications sessions.
SI-3.A Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
SI-3.B Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
SI-10 Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].
SI-11.A Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.