E-Government Act
Public Law 107-347, View law.
Passed in 2002, this law recognized the importance of information security to the economic and national security interests.
Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Federal Information Security Management Act (FISMA)
44 U.S.C. § 3541, et seq.
This United States federal law was enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107–347, 116 Stat. 2899). It recognizes the importance of information security to the economic and national security interests of the United States.
FISMA requires that federal agencies implement and document programs to protect the confidentiality, integrity, and availability of their IT systems, operations, and assets. SAINT Security Suite provides a wide range of capabilities to interoperate within the federal space to identify, assess, and prioritize security activities, and protect your most critical assets.
The fully integrated SAINT Security Suite of tools combines the power of vulnerability scanning, social engineering, configuration assessments, penetration testing, asset prioritization, remediation workflows, and compliance reporting in a single solution. It also provides interoperability and integration options to increase your return on investment across your security program.
- Use our pre-defined FISMA vulnerability scan policy, to detect vulnerabilities before they can be exploited. Our vulnerability assessment will allow administrators to take precautions and bolster network security.
- Reduce time to remediate. SAINT Security Suite’s strategic dashboards, data drill-down, asset tracking, dynamic data filtering, and tutorial guidance decrease the time analyzing data, responding to incidents, and taking remediation actions. This reduces risk exposures.
- Ensure data integrity, availability, and confidentiality. Our frequent updates protect against the latest threats.
- Our pre-defined FISMA vulnerability assessment reports provide excellent records for documenting FISMA compliance and a historical perspective of a network’s security picture. Review a sample FISMA Vulnerability Assessment Report.
- Demonstrate protection from attack. SAINT Security Suite’s penetration testing tools provide a higher level of attack protection assurance.
As the recommended product in the vulnerability assessment space, SAINT Security Suite adds tremendous value in meeting the challenges that face public sector organizations.
Saint Security Suite on AWS GovCloud
AWS GovCloud (US) is an isolated AWS region subject to FedRAMP high and moderate baselines, and it allows customers to host sensitive controlled unclassified information (CUI) and all types of regulated workloads. The region is operated by employees who are U.S. citizens on U.S. soil. The region is only accessible to vetted U.S. entities and root account holders who must confirm they are U.S. persons to gain access to this region.
AWS GovCloud (US) gives vetted government customers and their partners the flexibility to architect secure cloud solutions that comply with:
- FedRAMP high baseline
- DOJ’s Criminal Justice Information Systems (CJIS) Security Policy
- U.S. International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5, FIPS 140-2, IRS-1075
- Other compliance regimes
From personally identifiable information (PII), sensitive patient medical records, and financial data to law enforcement data, export-controlled data and other forms of CUI, AWS GovCloud (US) can help customers address compliance at every stage of their cloud journey.
As an AWS Advanced Technical Partner and GovCloud Partner, SAINT Security Suite has been approved for use on GovCloud, providing pre-configured Amazon machine images (AMIs) to save time deploying your GovCloud vulnerability management solutions and maintain continuity across your enterprise risk-management program.
As a partner in the ATO on AWS program, Carson & SAINT leverages its partnership with AWS and other AWS partners to develop solutions tailored to meet regulatory compliance or public sector organizations’ daily risk-management needs. Learn more about our AWS partnership.
A NIST-Validated SCAP Solution
The Security Content Automation Protocol (SCAP) is a specification established by the U.S. National Institute of Standards and Technology (NIST) for expressing and manipulating security data in standardized ways. Currently, SCAP can enumerate product names and vulnerabilities (both software flaws and configuration issues), identify the presence of vulnerabilities, and assign severity scores to software flaw vulnerabilities.
SAINT Security Suite offers all assessment and reporting capabilities compliant with SCAP version 1.2, as an authenticated configuration scanner (ACS), including common vulnerabilities and exposures (CVE) for content published at Tier III and Tier IV, and in the OVAL repository.
Assess your environment with the SAINT NIST-validated solution to perform vulnerability, patch, software inventory, and configuration assessments mandated under FISMA and SCAP. Use the SCAP-compliant output to determine pass/fail results and deliver reports according to the latest standards, including Cyberscope report formats.
Use the policy editor to customize these industry benchmarks and create custom profiles to assess hosts based on specifications you define.
NIST SCAP Program Component Support
SAINT Security Suite provides support to the NIST SCAP program for the following components.
This international information security standard promotes open and publicly available security content and standardizes the transfer of this information across the entire spectrum of security tools and services. SAINT Security Suite provides support to the OVAL® Adoption Program as a vulnerability scanner and provides the capabilities as both a definition evaluator and a system characteristics producer.
XCCDF Security Benchmark Automation
This security benchmark automation is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. Download security checklists (or benchmarks) from NIST. These data streams can then be downloaded into SAINT Security Suite to run an XCCDF scan.
Common Platform Enumeration (CPE™)
This is a structured naming scheme for information technology systems, software, and packages.
Common Vulnerabilities and Exposures (CVE®)
This is a dictionary of publicly known information security vulnerabilities and other information security exposures.
Common Vulnerability Scoring System (CVSS)
This is a vulnerability scoring system designed to provide an open and standardized method for rating information technology vulnerabilities frameworks for communicating the characteristics and impacts of IT vulnerabilities.
This provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
Formats and Specifications
Asset Identification (AI)
This is a format for uniquely identifying assets based on known identifiers and/or known information about the assets. The SCAP specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies several known use cases for asset identification.
Asset Reporting Format (ARF)
This expresses the transport format of information about assets and the relationships between assets and reports. The SCAP specification prescribes the standardized data model to facilitate the reporting, correlating, and fusing of asset information throughout and between organizations.
Trust Model for Security Automation Data (TMSAD)
This is a specification for using digital signatures in a common trust model applied to other security automation specifications. The SCAP specification prescribes the standardized data model for establishing trust for security automation data.
SCAP Compliant Report Formats
SAINT Security Suite’s SCAP capabilities include all of the NIST-mandated output formats applicable to SCAP v.1.2 specifications for both OVAL-complaint vulnerability, patch and software inventory assessments and XCCDF-compliant configuration assessment. Also, users can generate custom benchmark reports based on our pre-configured benchmark report. Sample SCAP Configuration Benchmark (XCCDF) Report.
Cyberscope Report
Cyberscope is an application co-developed by the Department of Homeland Security and the Department of Justice to automate and standardize manual and automated inputs of agency data for FISMA compliance reporting. NIST has collaborated with this effort to provide data models that use the underlying SCAP primitives (CVE, CCE, CPE) to produce data feeds directly from security-management tools that can be submitted to Cyberscope.
Cyberscope support is one more example of Carson & SAINT’s continuing commitment to its federal customers, as it relates to continuous monitoring initiatives, reporting, and compliance under FISMA. As the first lab-tested and NIST-approved USGCB scanner, Carson & SAINT continues to evolve and maintain market leadership in the areas of compliance and reporting.
Our solutions enable customers to execute in realtime, scheduled, and recurring assessments across any size organization – from a standalone deployment or centrally managed distributed deployment – to ensure a flexible, yet powerful configuration to fit within the organization’s overall continuous-monitoring framework.
Our agentless scanner probes discover available hosts and gather inventory facts that will ensure a thorough, yet focused environment assessment. SAINT Security Suite provides additional workflow and oversight control during the process through email notifications and customer-defined report delivery to facilitate faster evaluation and remediation turnaround before formal reporting. We then provide customers with the necessary interfaces to complete organization-specific components of the reporting format and produce the finished product, per the required Cyberscope specifications.
SAINT Security Suite is included in the OMB MAX Portal list of vendors capable of providing exported data feeds for Cyberscope.
IAVA Mapping
The DOD-CERT Information Assurance Vulnerability Alert (IAVA) system is used in the U.S. Department of Defense organizations to standardize critical vulnerability announcements and remediation. This system also includes time-sensitive assessment, remediation, and reporting requirements for organizations within the DoD, as well as other governmental and commercial entities that have direct contractual commitments or technology interoperability with DoD networks and systems. As a result, an IAVA announcement can have a far-reaching span of impact.
At Carson & SAINT, we provide customers with IAVA codes through our continuous collection, evaluation, and integration of vulnerability codes, checks, and tutorial content. IAVA content is obtained from publicly available information via the Defense Information Security Agency’s (DISA), Security Technical Implementation Guides (STIGs) website. This information is then synthesized by our analysts and distributed to customers via our bi-weekly SAINTexpress release process. Once these updates are applied to your installation, IAVA codes are then mapped to vulnerabilities identified through any scanning policy and made available for analysis, reporting, and exporting for external use.
Start a Partnership with Carson & SAINT
Upgrade your cybersecurity strategy with Carson & SAINT and gain a partner who’s committed to your institution’s security and success. Contact us at be.secure@carson-saint.com to explore a cybersecurity solution designed for the specific needs and aspirations of your government institution.