FISMA: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[https://www.dhs.gov/fisma Federal Information Security Modernization Act (FISMA)] | [https://www.dhs.gov/fisma Federal Information Security Modernization Act (FISMA)] | ||
Vocabulary | = Vocabulary = | ||
* General Accountability Office (GAO) audit | * General Accountability Office (GAO) audit | ||
* Authorization to Operate (ATO) | * Authorization to Operate (ATO) | ||
* Risk Management Framework (RMF) | * Risk Management Framework (RMF) | ||
A complete FISMA package includes at least the following artifacts | = A complete FISMA package includes at least the following artifacts = | ||
* FIPS-199 System Categorization | * FIPS-199 System Categorization | ||
* E-Authentication Threshold or Risk Analysis (eTA/eRA) | * E-Authentication Threshold or Risk Analysis (eTA/eRA) | ||
| Line 20: | Line 20: | ||
* Plan of Action and Milestones (POA&M) | * Plan of Action and Milestones (POA&M) | ||
* ATO Letter signed by Federal Authorizing Official (AO) | * ATO Letter signed by Federal Authorizing Official (AO) | ||
* AC/IA ( | * AC/IA (access control/identify authentication) SOP | ||
= Web security = | |||
* [https://www.invicti.com/ Invicti] security scan. [https://www.invicti.com/web-vulnerability-scanner/manuals/installing/installing-invicti-desktop/ Netsparker] | |||
** missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack. Remedy: Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains. | |||
** (Apache & SSH) Version Disclosure from http response. Configure your web server to prevent information leakage from the SERVER header of its HTTP response. | |||
** Weak Ciphers Enabled. Attackers might decrypt SSL traffic between your server and your visitors. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf. ''' SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4''' | |||
** Out-of-date Version (OpenSSL). [https://nvd.nist.gov/vuln/detail/CVE-2022-1292 CVE-2022-1292 Detail] | |||
= NIST-NVD = | |||
National Vulnerability Database https://nvd.nist.gov/vuln, [https://nvd.nist.gov/vuln/full-listing Full Listing] | |||
= Apache, nginx, ssl versions = | |||
<ul> | |||
<li>determine the OpenSSL version | |||
<pre> | |||
openssl version | |||
</pre> | |||
</li> | |||
<li>[https://serverguy.com/servers/how-to-check-the-version-of-apache/ How To Check the Version of Apache? (In 3 Ways)] | |||
<pre> | |||
httpd -v | |||
# or | |||
/usr/local/apache/bin/httpd -v | |||
</pre> | |||
<li>[https://docs.nginx.com/nginx-controller/platform/about/get-controller-version/ Use helper.sh to Look Up Version Info] | |||
<pre> | |||
/opt/nginx-controller/helper.sh version | |||
# OR | |||
nginx -v | |||
# OR | |||
/opt/nginx/sbin/nginx -v | |||
</pre> | |||
</ul> | |||
= Docker = | |||
[https://goto.docker.com/FIPS-Certification-Public-Sector.html FIPS Certified Containerization: The Rise of the Enterprise Container Platform] | |||
Latest revision as of 10:42, 19 August 2022
Federal Information Security Modernization Act (FISMA)
Vocabulary
- General Accountability Office (GAO) audit
- Authorization to Operate (ATO)
- Risk Management Framework (RMF)
A complete FISMA package includes at least the following artifacts
- FIPS-199 System Categorization
- E-Authentication Threshold or Risk Analysis (eTA/eRA)
- Business Impact Assessment (BIA) (may be documented in Contingency Plan)
- System Security Plan (SSP)
- Privacy Impact Assessment (PIA)
- Interconnection Agreements (e.g., ISA and/or MOUs), if applicable
- Configuration Management Plan (CMP)
- Contingency Plan (CP)
- Contingency Plan Exercise Report (if Moderate or High impact FIPS rated)
- Security Assessment Plan (SAP)
- Security Assessment Report
- Plan of Action and Milestones (POA&M)
- ATO Letter signed by Federal Authorizing Official (AO)
- AC/IA (access control/identify authentication) SOP
Web security
- Invicti security scan. Netsparker
- missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack. Remedy: Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
- (Apache & SSH) Version Disclosure from http response. Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- Weak Ciphers Enabled. Attackers might decrypt SSL traffic between your server and your visitors. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf. SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
- Out-of-date Version (OpenSSL). CVE-2022-1292 Detail
NIST-NVD
National Vulnerability Database https://nvd.nist.gov/vuln, Full Listing
Apache, nginx, ssl versions
- determine the OpenSSL version
openssl version
- How To Check the Version of Apache? (In 3 Ways)
httpd -v # or /usr/local/apache/bin/httpd -v
- Use helper.sh to Look Up Version Info
/opt/nginx-controller/helper.sh version # OR nginx -v # OR /opt/nginx/sbin/nginx -v
Docker
FIPS Certified Containerization: The Rise of the Enterprise Container Platform