FISMA: Difference between revisions

From 太極
Jump to navigation Jump to search
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
[https://www.dhs.gov/fisma Federal Information Security Modernization Act (FISMA)]
[https://www.dhs.gov/fisma Federal Information Security Modernization Act (FISMA)]


Vocabulary
= Vocabulary =
* General Accountability Office (GAO) audit
* General Accountability Office (GAO) audit
* Authorization to Operate (ATO)  
* Authorization to Operate (ATO)  
* Risk Management Framework (RMF)
* Risk Management Framework (RMF)


A complete FISMA package includes at least the following artifacts
= A complete FISMA package includes at least the following artifacts =
* FIPS-199 System Categorization  
* FIPS-199 System Categorization  
* E-Authentication Threshold or Risk Analysis (eTA/eRA)  
* E-Authentication Threshold or Risk Analysis (eTA/eRA)  
Line 24: Line 24:
= Web security =
= Web security =
* [https://www.invicti.com/ Invicti] security scan. [https://www.invicti.com/web-vulnerability-scanner/manuals/installing/installing-invicti-desktop/ Netsparker]
* [https://www.invicti.com/ Invicti] security scan. [https://www.invicti.com/web-vulnerability-scanner/manuals/installing/installing-invicti-desktop/ Netsparker]
** missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack. Remedy: Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
** (Apache & SSH) Version Disclosure from http response. Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
** Weak Ciphers Enabled. Attackers might decrypt SSL traffic between your server and your visitors. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf. ''' SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4'''
** Out-of-date Version (OpenSSL). [https://nvd.nist.gov/vuln/detail/CVE-2022-1292 CVE-2022-1292 Detail]


= NIST-NVD =
= NIST-NVD =

Latest revision as of 10:42, 19 August 2022

Federal Information Security Modernization Act (FISMA)

Vocabulary

  • General Accountability Office (GAO) audit
  • Authorization to Operate (ATO)
  • Risk Management Framework (RMF)

A complete FISMA package includes at least the following artifacts

  • FIPS-199 System Categorization
  • E-Authentication Threshold or Risk Analysis (eTA/eRA)
  • Business Impact Assessment (BIA) (may be documented in Contingency Plan)
  • System Security Plan (SSP)
  • Privacy Impact Assessment (PIA)
  • Interconnection Agreements (e.g., ISA and/or MOUs), if applicable
  • Configuration Management Plan (CMP)
  • Contingency Plan (CP)
  • Contingency Plan Exercise Report (if Moderate or High impact FIPS rated)
  • Security Assessment Plan (SAP)
  • Security Assessment Report
  • Plan of Action and Milestones (POA&M)
  • ATO Letter signed by Federal Authorizing Official (AO)
  • AC/IA (access control/identify authentication) SOP

Web security

  • Invicti security scan. Netsparker
    • missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack. Remedy: Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
    • (Apache & SSH) Version Disclosure from http response. Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
    • Weak Ciphers Enabled. Attackers might decrypt SSL traffic between your server and your visitors. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf. SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    • Out-of-date Version (OpenSSL). CVE-2022-1292 Detail

NIST-NVD

National Vulnerability Database https://nvd.nist.gov/vuln, Full Listing

Apache, nginx, ssl versions

Docker

FIPS Certified Containerization: The Rise of the Enterprise Container Platform

Retrieved from "https://wiki.taichimd.us/index.php?title=FISMA&oldid=33880"