NASA – Extensible Control Assessment Tool (NeCAT)

Help NASA improve its cyber security posture by providing an easy to use assessment tool!

Purpose: The NASA Risk Management Framework is used to ensure compliance with federal standards issued by the National Institute of Standards and Technology (NIST). These standards allows the classification, management and tracking of cyber security risks related to all systems and components in the centers and agency. A control assessor performs periodic examination of compliance using a number of methods. Therefore, having a tool to record findings that is both mobile friendly and scalable to new standards would enable these assessors to perform more in-depth assessments to a wider set of controls in less amount of time.

Background: Control assessments are conducted in order to validate (via tests, examination and interviews) operational, administrative and technical controls based on standards defined by NIST. Some of these standards include, Special Publications (SP) 800-37, SP 800-53 Rev.4, and SP 800-53A Rev.4 which form the Risk Management Framework (RMF) for federal systems compliance. NIST SP 800-53A provides a list of functional controls categorized by “Control Families” as well as minimum security control impact (High, Moderate, Low, and Optional). Although, NIST SP 800-53A is the main standard used for federal systems, there are other industry standards such as (PCI DSS, NIST SP 800-171, etc.) which may be used to assess a specific system or organization. A Security Control Assessors (SCA), performs assessments, to validate functional control implementation. As such, SCAs are required to document findings (weaknesses or comments) regarding whether controls in placed are “Satisfied” (working) or “Other than Satisfied” (not working). SCAs also provide recommendations to be implemented in order to satisfy control found to be “Other than Satisfied.”

Challenge: To develop a scalable, responsive, and user-friendly web-based application that allows for easy selection of standards, controls, and related questionnaire to perform faster and targeted on-site assessments. The application could be an object-relational database and at the end of an assessment, it should be able to generate a report indicating date, control status and any findings (weaknesses, comments and recommendations) pertaining to the control(s) assessed.

A file with a full control list, and exportable fields is included. Columns highlighted in yellow denote mandatory fields for identification, blue and green fields denote user-defined fields.

Must Include:

  1. Implement mass import of standard baselines (e.g., NIST SP 800-53A Rev.4) via .xlsx, .csv, or xml file formats.

  2. Allow import of additional control standards and update to current ones via file import.

  3. Selection of control standard as well as being able to filter a subset of controls based on “control family” categorization and minimum risk impact (H, M, L, O).

  4. Further selection of sub-set controls to be assessed at the discretion of the control assessor.

  5. Easy to use interface for mobile use for on-site assessments, (laptop, tables or mobile devices) with optimal view of control descriptions and implementation details.

  6. Generate report of all selected controls with date, assessor name, control status, comments (findings) and method of assessment.

Preferences:

  1. Allow for manual update of individual control description [organization defined values] within a specific control standard.

  2. Selection of Authorization Package information (AA) or “security plan” name and ID from a defined list (imported via .xlsx file), as well as manual input of Authorization Package information when predefined data is not available.

  3. Link a security plan name to a specified ID.

  4. Allow for an AA, or security plan to be rated at (low, moderate or high) risk, and automatically allocate all controls corresponding to its own risk impact level.

  5. Module that allows creation of a questionnaire which answers (True/False or Fail/Pass) can be linked to one or several controls, their status (satisfied, other than satisfied), assessment method used to validate control and findings/recommendations/comments.

  6. Allow to filter controls within an AA based on responsibility (agency, center, or system).

Considerations:

  1. Risk impact categorization under NIST SP 800-53A implements a scalable rating, where all low impact risk controls are included in all moderate risk plans, and all moderate risk controls are included in high impact risk plans. Low risk plans, DO NOT include any controls above its own risk impact rating.

Figure 1: Hierarchical relationship of data

Resources:

NIST Special Publications: http://csrc.nist.gov/publications/PubsSPs.html#SP 800

NIST SP 800-53 (Rev. 4): https://nvd.nist.gov/800-53

NIST SP 800-53A (Rev. 4): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

NIST Baseline Tailor Tool: https://www.nist.gov/services-resources/software/baseline-tailor

New Leaf Digital

New Leaf Digital, 200 West Side Square, Huntsville, AL, 35801