The National Institute of Standards and Technology (NIST) is an agency that sits within the U.S. Department of Commerce. Among other responsibilities, it maintains and revises NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.
SP800-53 is a catalog of recommended IT security policies, strategies, and capabilities that organizations should follow so they meet federal laws and policies, including the Federal Information Security Management Act (FISMA).
Who Needs to Comply
U.S. federal agencies. However, contractors, vendors, and state agencies that work with the federal government would also be well-advised to follow the standards set out by SP800-53, because doing so will ensure their security systems and processes will be compatible with federal systems and standards.
The NIST & Mainframe Connection
In March 2020, NIST published the fifth version of SP800-53. It was the first new release in seven years, so it had a lot of catching up to do in terms of modern IT security. Some of the changes were meant to broaden the tent to acknowledge emerging technologies like IoT and cloud computing.
But, NIST now also recommends that organizations conduct regular, independent control assessments of their IT environment. Those assessments should include vulnerability scanning of every IT system, which includes the mainframe. In other words, if your organization is in a position to work with federal agencies, you should be scanning your mainframe for vulnerabilities.
NIST Requirements
NIST organizes its security and privacy controls into 20 “families,” or categories of related controls. The following is a list of pertinent control families and guidance around how mainframe security solutions can be applied to meet these requirements on enterprise mainframes.
- AC: Access Control – NIST recommends an entire family of access controls, with specific guidelines around access policy and procedure, account management, enforcement, and authentication and authorization. By following these requirements, organizations can avoid the risks associated with excessive access on the mainframe.
- AU-6: Audit Record Review, Analysis and Reporting – These controls cover information security and privacy-related logging performed by organizations. NIST recommends companies perform an “integrated analysis of audit records,” which means that any information generated by mainframe vulnerability scanning software should be integrated within the analysis of audit record information. “The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results,” says NIST.
- CA-2: Control Assessments – This family of controls speaks to the importance behind regular assessments of organizational security controls. As NIST says, “Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle.” NIST also recommends specialized assessments, such as malicious user testing, insider threat assessments, and data loss assessments. A separate set of controls recommends penetration testing.
- RA-5: Vulnerability Monitoring and Scanning – NIST dedicates an entire set of controls that recommend organizations monitor and scan for system vulnerabilities. As NIST writes: “Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for 1) Enumerating platforms, software flaws, and improper configurations; 2) Formatting checklists and test procedures; and 3) Measuring vulnerability impact.