1 October, 2019
FISMA Penetration Testing
Federal Information Security Management Act of 2002 is a US legislation which defines an extensive framework for the protection of federal information systems against cyber attackers. It was enacted on December 17, 2002, under the E-Government Act of 2002. Specifically, in the context of the United States, this act recognized the importance of information security to protect economic interests and national security interests of the country. This act places an inherent responsibility on the federal agencies to design, develop, document, and implement agency-wide information security to secure information systems that support assets and operations of the concerned agency. It also includes services and operations, whether provided or managed, by another agency, contractor, or third-party vendor.
As given in FISMA, National Institute of Standards and Technology (NIST) is responsible for designing and developing information security standards, guidelines, methods, and techniques for maintaining an adequate level of information security for all federal agencies. Security experts often look up to NIST standards issued under FISMA to protect their clients’ technical infrastructure.
Definition of “information security”
FISMA defines the term “information security” as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to maintain confidentiality, integrity, and availability.
Penetration Testing and NIST SP 800-53 (Rev. 4)
Penetration testing has been defined as a testing methodology in which assessors try to circumvent, breakthrough, or defeat features of information systems under a specific set of constraints. In NIST SP 800-53 Rev. 4, CA-8 is the dedicated control for penetration testing. This control states that the organizations must conduct penetration testing exercises at a defined frequency on its information systems or their system components. Here, organizations have been given a free hand to decide the frequency and scope of penetration tests. “Penetration Testing” has been further explained in the Supplemental Guidance given for this control.
Supplemental Guidance specifies that a penetration testing exercise is a specialized assessment. Such exercises are conducted to identify existing vulnerabilities in an organization’s information systems or their system components. It can be used for two purposes – first, for validation of vulnerabilities, and second – for testing resiliency of information systems. The penetration testing team replicates the steps taken by the attackers in a penetration testing exercise. The scope of a penetration test must include hardware, software, and firmware of information systems.
Under this publication, two control enhancements are prescribed for CA-8: CA-8(1) and CA-8(2). CA-8(1) prescribes that an organization should employ independent penetration testing team so that it is partial and unbiased. Independent teams do not have any conflict of interest with respect to design, development, testing, operation, and management of an organization’s information systems covered under the scope of a penetration testing exercise.
CA-8(2) states that an organization should conduct red team exercises to simulate real-life attempts by attackers with malicious intent. Here, organizations can select appropriate red team exercises and decide the rules of engagement.