Automated Assessment and Enforcement of
NIST 800-53 Security Controls

IBM Endpoint Manager provides out of the box support

Continuously monitoring and enforcing controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 is a laborious challenge for many federal organizations. With IBM Endpoint Manager, built on BigFix technology, federal agencies can significantly reduce the cost associated with enforcing compliance against 800-53, with automated assessment and remediation of many of the 800-53 controls, while providing additional value, including PC power consumption savings, reduced patch cycles, STIG and SCAP compliance, and CyberScope reporting.

IBM Endpoint Manager can help:

The NIST 800-53 controls supported by IBM Endpoint Manager include:

NIST 800-53 CONTROL NAME Support Provided by IBM Endpoint Manager
AC-7: Unsuccessful Login Attempts IBM Endpoint Manager for Security and Compliance can enforce policies per FDCC and STIG restricting local logon access to an information system forcing authentication through Windows Domain/Active Directory or other central AAA system which manages and enforces lock-out after a specific number of failed logon attempts.
AC-8: System Use Notification IBM Endpoint Manager for Security and Compliance supports assessment and remediation of misconfigured system user notification banners. The banner messages assessed are customizable to support the specific needs of different information system owners.
AC-10: Concurrent Session Control IBM Endpoint Manager for Security and Compliance can enforce policies per FDCC, USGCB, and DISA STIGs restricting local logon access to an information system forcing authentication through Windows Domain/Active Directory or other central AAA system which manages and enforces limits on the number of concurrent sessions.
AC-17: Remote Access IBM Endpoint Manager for Security and Compliance can also disable remote access to specific information systems per FDCC and STIG benchmarks. IBM Endpoint Manager for Lifecycle Management provides management of, and integration with Windows Remote Desktop, and it also provides integrated remote control which supports this security control.
AC-18: Wireless Access IBM Endpoint Manager for Security and Compliance can assess and remediate technical controls for wireless access in support of FDCC, USGCB, and DISA STIG benchmarks. IBM Endpoint Manager also provides general device management capabilities enabling the establishment of policies on individual computer use of wireless network adapters, including dynamic policies based on computing device location and other variables.
AC-19: Access Control for Mobile Devices IBM Endpoint Manager supports this control by establishing dynamic security policies based on the network location, network connection type and other variables for mobile devices. IBM Endpoint Manager provides local self-quarantine capabilities when devices, both mobile and non-mobile, are out of compliance with defined policies. IBM Endpoint Manager also integrates with network level NAC solutions.
AC-20: Use of External Information Systems IBM Endpoint Manager for Security and Compliance scanning enables discovery of all computing assets on a network through distributed NMAP scanning. Default reporting lists all IP Addressable devices on a network that are not managed with IBM Endpoint Manager, making it easy to detect unauthorized devices.
AU-2: Auditable Events IBM Endpoint Manager can be used to filter and report on system and security events from operating system event and audit logs.
AU-6: Audit Review, Analysis, and Reporting IBM Endpoint Manager can be used to filter and report on system and security events from operating system event and audit logs.
AU-12: Audit Generation IBM Endpoint Manager can be used to filter and report on system and security events from operating system event and audit logs.
AU-14: Session Audit IBM Endpoint Manager can be used to filter and report on system and security events from operating system event and audit logs.
CA-1: Security Assessment and Authorization Policies and Procedures IBM Endpoint Manager for Security and Compliance supports the implementation of policies utilizing customizable benchmark checklists for USGCB, FDCC, and DISA STIG. IBM Endpoint Manager produces data on real-time compliance of computing infrastructures that can assist organizations in defining and refining security policies.
CA-2: Security Assessments IBM Endpoint Manager for Security and Compliance provides functionality to customize benchmark checklists – both the controls that make up the benchmark and the values being checked for in the control. IBM Endpoint Manager supports FDCC and DISA STIG benchmarks. IBM Endpoint Manager can restrict access to assessment data to specific individuals or groups through RBAC to support separation of duties and the creation of an independent assessment team. And IBM Endpoint Manager supports the certification process by providing reports and real-time information to prepare system owners for the certification process and for submission to accrediting authorities.
CA-3: Information System Connections IBM Endpoint Manager can be configured to enforce self-quarantine policies restricting network access and limiting the interconnectivity of multiple information systems in support of this control.
CA-5: Plan of Action and Milestones IBM Endpoint Manager for Security and Compliance provides continuous monitoring and enforcement of FDCC, USGCB, DISA STIG, vulnerabilities and patch status across multiple operating systems. This enables organizations to develop a plan of action to maintain continuous compliance with regulations and guidelines.
CA-7: Continuous Monitoring The IBM Endpoint Manager for Security and Compliance agent continuously monitors and assesses information systems against a set of policies, including FDDC, USGCB, DISA STIG, custom benchmarks imported through SCAP, patch status and software inventories. It provides this information in near real-time through the IBM Endpoint Manager console. Information is also available through web-based reports that can be made available to system owners and executives. Reporting capabilities include the ability to schedule reports, or have reports automatically sent when specific triggers or conditions are met.
CM-1: Configuration Management Policy and Procedures The IBM Endpoint Manager for Security and Compliance agent continuously monitors and assesses information systems against a set of policies, including FDDC, USGCB, DISA STIG, custom benchmarks imported through SCAP, patch status and software inventories. It provides this information in near real-time through the IBM Endpoint Manager console. Information is also available through web-based reports that can be made available to system owners and executives. Reporting capabilities include the ability to schedule reports, or have reports automatically sent when specific triggers or conditions are met.
CM-2: Baseline Configuration IBM Endpoint Manager for Security and Compliance supports the development of system baselines and monitoring compliance against those baselines over time. IBM Endpoint Manager also supports continuous policy enforcement to eliminate configuration drift for both mobile and non-mobile endpoints. IBM Endpoint Manager for Lifecycle Management provides capabilities to maintain a consistent software baseline across computing environments.
CM-3: Configuration Change Control IBM Endpoint Manager for Security and Compliance supports change control through the publication of specific remediation to operators with authority to make system configuration changes. The type of configuration change control actions that may be performed can be tailored to the operators. For example, one operator may be able to publish new change content within IBM Endpoint Manager, while another operator may have fewer rights, such as being limited to only implement the change content that has already been defined. IBM Endpoint Manager also audits all actions taken on managed endpoints to track authorized changes to the systems.
CM-4: Security Impact Analysis IBM Endpoint Manager provides capabilities to easily establish a test group of computers within the application and apply changes and remediation to only those systems in the test group in order to test the impact of the change prior to implementing the change on all production systems.
CM-6: Configuration Settings IBM Endpoint Manager for Security and Compliance centrally manages configuration systems for organizations with large, complex, distributed and heterogeneous computing infrastructures. IBM Endpoint Manager provides controls libraries that are based on FDCC, USGCB, and DISA STIGs and are customizable to support the requirements of specific information systems. IBM Endpoint Manager also provides functionality to enforce configuration settings to minimize configuration drift (i.e., if a setting changes, the IBM Endpoint Manager agent can automatically change it back to the proper configuration).
CM-7: Least Functionality IBM Endpoint Manager for Core Protection provides functionality to enforce specific configurations, including the restriction of use of ports/protocols (through IBM Endpoint Manager Firewall and IPSEC self-quarantine functionality), shut down services, etc.
CM-8: Information System Component Inventory IBM Endpoint Manager for Lifecycle Management provides asset inventory reporting with detailed information on installed software applications, hardware components, and so on. Detailed listings of monitored properties are available, and custom properties can also be developed within the IBM Endpoint Manager applications as needed.
CP-1: Contingency Planning Policy and Procedures IBM Endpoint Manager supports developed contingency plans through immediate policy enforcement in reaction to events to rapidly secure computing infrastructures.
CP-4: Contingency Plan Testing and Exercises IBM Endpoint Manager allows operators to create test groups to test contingency plans in reaction to malicious cyber events as part of an exercise. This enables organizations to hone their skills, using IBM Endpoint Manager as a rapid response system and security management platform.
CP-9: Information System Backup IBM Endpoint Manager can be leveraged to upload specific files, directories, or content from managed systems to specified locations, although it does not provide out of the box backup functionality.
CP-10: Information System Recovery and Reconstitution IBM Endpoint Manager for Lifecycle Management can reimage Windows computers over the wire, leveraging remote caching infrastructure components to minimize network impact and time required to re-image or recover a system.
IR-1: Incident Response Policy and Procedures IBM Endpoint Manager can be leveraged as part of an implemented incident response policy to respond to cyber incidents. Examples include uploading files after an incident, rapidly deploying quarantine policies to infected systems, detecting and responding to zero day exploits, etc.
IR-4: Incident Handling IBM Endpoint Manager is designed for situational awareness with automatic and dynamic policy enforcement based on environmental changes. IBM Endpoint Manager can be configured to rapidly and automatically react to specific incidents to secure computing infrastructures.
MA-1: System Maintenance Policy and Procedures IBM Endpoint Manager for Lifecycle Management can be leveraged as an effective tool in support of system maintenance policies. IBM Endpoint Manager manages many asset management computer properties, including RAM, free space on system drive, etc., and it can be configured to alert on specific properties when they reach certain values which would require maintenance.
MA-2: Controlled Maintenance IBM Endpoint Manager for Security and Compliance continuously monitors system and security configuration controls on managed systems and can be configured to alert when controls change. Controls monitored and enforced include FDCC, USGCB, DISA STIG, patches, and endpoint security product configurations.
MA-6: Timely Maintenance IBM Endpoint Manager manages many asset management computer properties including RAM, free space on system drive, etc., and it can be configured to alert on specific properties when they reach certain values which would require maintenance.
PE-10: Emergency Shutoff IBM Endpoint Manager provides abilities to remotely shut down information systems.
PL-2: system Security Plan IBM Endpoint Manager for Security and Compliance provides a flexible management framework for multiple systems and their specific system Security Pan requirements. This includes monitoring custom benchmarks on a per group, or per computer basis, and measuring custom properties and custom remediation policies. Reports can be generated detailing controls in place for specific systems.
PL-6: Security-Related Activity Planning IBM Endpoint Manager for Security and Compliance and IBM Endpoint Manager for Lifecycle Management continuously monitor all managed systems for compliance with security control checklists (FDCC, USGCB, STIG), required patches, and required software. Asset information is also continuously evaluated and reported on. This is automated at each endpoint, reducing workload to execute security activities.
PS-4: Personnel Termination IBM Endpoint Manager can be leveraged to minimize the impact if an individual does not return a computing asset upon termination: e.g. deploy a device wipe application and execute. IBM Endpoint Manager can be leveraged to securely communicate with devices over the Internet and agents will phone home allowing the agency to take actions and potentially determine the device location through the IP Address and other available information.
PS-5: Personnel Transfer In situations where personnel retain computer equipment such as laptops when transferred, IBM Endpoint Manager can accommodate this organizational churn by enforcing new policies based on the new group or organization, or the agent can switch deployments if the agency is using multiple IBM Endpoint Manager deployments to manage their computing infrastructure.
RA-2: Security Categorization IBM Endpoint Manager provides functionality to map security categorizations to individual computers or computer groups and tie specific policies to those groups.
RA-3: Risk Assessment IBM Endpoint Manager for Security and Compliance provides real-time compliance data and remediation capabilities enabling the agency to quickly measure compliance with benchmarks such as patch status, FDCC, USGAB, STIG, etc., so this can be factored into risk assessments. IBM Endpoint Manager provides flexible grouping structures so individual computers can be in multiple groups to support management models where computers are members of both functional groups and groups of computers at different risk levels.
RA-5: Vulnerability Scanning IBM Endpoint Manager for Security and Compliance provides real-time visibility into vulnerabilities on managed Windows computers. IBM Endpoint Manager has an automated feed from the National Vulnerability Database which is converted to IBM Endpoint Manager content and supplied to IBM Endpoint Manager customers as a subscription service. This data should be incorporated and correlated with data supplied by traditional vulnerability scanners. IBM Endpoint Manager is also SCAP validated and could import a SCAP Vulnerability checklist for assessment.
SA-6: Software Usage Restrictions IBM Endpoint Manager for Software Use Analysis provides software usage and license tracking to help organizations maintain compliance with vendor contracts, reduce licensing cost when software is not used and avoid potential cost overruns.
SA-7: User-Installed Software IBM Endpoint Manager for Software Use Analysis provides the ability to assist in the enforcement of user-installed software policies including an agent-based user self-service portal of approved software (Offers). IBM Endpoint Manager provides tracking and reporting of all installed applications and services on a device and gives the agency the ability to remove unauthorized applications. IBM Endpoint Manager for Software Use Analysis provides software usage tracking and license compliance reporting enabling the agency to ensure user-installed software does not adversely impact vendor contracts.
SA-8: Security Engineering Principles Including IBM Endpoint Manager in the design of an information system will improve the security engineering principles of the system by providing real-time assessment, management, and automated remediation of issues. IBM Endpoint Manager provides capabilities to significantly enhance the security posture of computing systems.
SA-9: External Information System Services IBM Endpoint Manager, if installed on service provider information systems being leveraged to provide services on an agency site, can provide the agency with real-time assessments of the security posture of these systems.
SA-10: Developer Configuration Management IBM Endpoint Manager for Security and Compliance may be installed on systems during the development process to ensure systems are secured during this stage, and prior to being implemented in production.
SA-11: Developer Security Testing IBM Endpoint Manager for Security and Compliance should be leveraged during the development process to ensure developmental changes to information systems do not impact the technical security controls of the system, such as those defined by FDCC, USGCB, and DISA STIG.
SA-13: Trustworthiness IBM Endpoint Manager for Security and Compliance positively affects the two major factors impacting the trustworthiness of an information system; security functionality and security assurance. IBM Endpoint Manager provides a wide array of security functionality including continuous monitoring of patch compliance, FDCC, USGCB, DISA STIG, and other security related properties. IBM Endpoint Manager enhances security assurance by achieving high success rates (over 90%, based on customer case studies) on the first pass for remediations, including but not limited to control enforcement and patch deployment.
SC-4: Information in Shared Resources IBM Endpoint Manager for Core Protection provides endpoint-based Data Loss Prevention to control and block unauthorized and unintended information transfer.
SC-5: Denial of Service Protection IBM Endpoint Manager can be leveraged as a rapid response tool to assist in minimizing the impact of DOS attacks by closing listening ports on managed systems to help minimize the impact to applications on those systems.
SC-10: Network Disconnect IBM Endpoint Manager for Power Management can configure systems to shut down, hibernate, or go into sleep modes, effectively disconnecting the systems from the network after a period of inactivity.
SC-18: Mobile Code IBM Endpoint Manager provides capabilities to perform wildcard searches on managed systems. These capabilities could be leveraged by the agency to search for and document what mobile code exists on a system and take corrective actions.
SC-25: Thin Nodes IBM Endpoint Manager supports agents on thin-node technologies, such as Windows XP Embedded.
SC-30: Virtualization Techniques IBM Endpoint Manager for Patch Management provides an agent and patch management support for VMWare ESX Server.
SI-2: Flaw Remediation IBM Endpoint Manager for Security and Compliance and IBM Endpoint Manager for Lifecycle Management are industry leaders in flaw remediation through 90+% success rates (based on customer case studies) on the first deployment of patches, updates, service packs and other flaw remediations. IBM Endpoint Manager has the ability to detect any system property and take virtually any action on a managed computer system that an administrator could take sitting in front of the device. This fundamental capability provides the agency the ability to quickly and efficiently remediate flaws for standard OS and applications, as well as for custom-developed applications. IBM Endpoint Manager provides out of the box patching content for Windows, Unix, Linux, MAC, VMware ESX, and many common third party Windows and Mac applications from vendors such as Adobe, Mozilla, Google, Oracle (Java), etc.
SI-3: Malicious Code Protection IBM Endpoint Manager for Security and Compliance and IBM Endpoint Manager for Core Protection provide malicious code protection. Additionally, to support organizations who have already purchase Malicious Code Protection technologies, such as anti-virus/spyware and/or HIPS, IBM Endpoint Manager provides management capabilities to enhance the effectiveness of these existing solutions. IBM Endpoint Manager provides configuration management for existing anti-virus and anti-malware solutions, including installation verification, status of required services, DAT compliance checks with deployment update tasks, and other common break-fix tasks. IBM Endpoint Manager is significantly more effective at deploying DAT files and maintaining currency than the major anti-virus vendor's own infrastructure, achieving 90+% success rates on the first deployment (based on customer case studies). IBM Endpoint Manager also supports the restriction of USB interfaces and the type of media that can be connected to those interfaces.
SI-4: Information System Monitoring IBM Endpoint Manager for Security and Compliance and IBM Endpoint Manager for Lifecycle Management provide continuous monitoring of system configurations and security attributes including but not limited to asset inventory properties, patch levels, anti-malware client configurations, software usage, filtering system and security event logs, among others.
SI-7: Software and Information Integrity IBM Endpoint Manager is able to detect and report on changes to a defined baseline of policies and configurations.
SI-10: Information Input Validation IBM Endpoint Manager can be leveraged to check specific files on a system against their known SHA1 hash value.