NIST 800-53 Compliance Solutions
NIST 800-53 Compliance Automation and Self-service Administration
Compliance alone does not ensure the real value an organization gains from NIST 800-53 compliance. Avatier Identity Management Software suite (AIMS) offers a holistic compliance management solution featuring IT automation coupled with self-service administration. AIMS automates FISMA and FIPS 200 compliance solutions to deliver a unified compliance management software solution.
NIST 800-53 Access Control (AC)
| Code | Title | AIMS | Description |
|---|---|---|---|
AC-1 | Access Control Policy |  | Formalize procedures to facilitate the implementation of access control policies. |
AC-2 | Account Management | | Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. |
AC-3 | Access Enforcement | | Enforce approved authorizations for access to systems in accordance with policy. |
AC-4 | Information Flow Enforcement | | Enforce approved authorizations. Control information workflow between interconnected systems. |
AC-5 | Separation of Duties | | Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. |
AC-6 | Least Privilege | | Automate least privilege. Allow only authorized accesses for users and processes which are necessary. |
AC-7 | Unsuccessful Login Attempts |  | Enforce a limit of consecutive invalid login attempts by a user. |
AC-8 | System Use Notification | | Display approved system use notification prior to login and where appropriate. |
AC-9 | Logon (Access) Notification | | Notify users upon successful logon of the date and time of logon. |
AC-10 | Concurrent Session Control | | Limit and define the number of concurrent sessions for each system account by account type, account or a combination. |
AC-11 | Session Lock | | Prevent further access to systems. Initiate session lock after inactivity or upon receiving a request from a user. |
AC-14 | Actions without Authentication | | Identify specific user actions that can be performed on an information system without identification and authentication. |
AC-16 | Security Attributes | | Support and maintains the binding of security attributes to information in storage, in process, and in transition. |
AC-17 | Remote Access | | Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. |
AC-18 | Wireless Access | | Authorize wireless access to systems prior to connection. Enforce wireless requirements for connecting to systems. |
AC-19 | Mobile Device Access Control | | Authorize mobile device access to system prior to connection. Enforce mobile device system connection requirements. |
AC-20 | External Information Systems | | Access information systems from external systems. Process, store and transmit information using external systems. |
AC-21 | User Collaboration and Information Sharing |  | Facilitate information sharing. Enable authorized users to grant access to partners. |
AC-22 | Publicly Accessible Content | | Designate individuals authorized to post information onto an organization’s information system that is publicly accessible. |
NIST 800-53 Audit and Accountability (AU)
| Code | Title | AIMS | Description |
|---|---|---|---|
AU-1 | Audit Accountability Procedures |  | Automate audit and accountability policy and procedures that addresses purpose, scope, roles, responsibilities, management, coordination and compliance. |
AU-2 | Auditable Events | | Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. |
AU-3 | Content of Audit Records | | Produce audit records that report what event occurred, when, where, the source, the outcome, and the identity. |
AU-4 | Audit Storage Capacity | | Allocate audit record storage capacity and configure auditing to reduce the likelihood of such capacity being exceeded. |
AU-5 | Response to Audit Processing Failures | | Alert designated organizational officials in the event of an audit processing failure and take appropriate action. |
AU-6 | Audit, Review, Analysis and Reporting | | Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. |
AU-7 | Audit Reduction and Report Generation | | Support for real-time audit review, analysis, and reporting requirements without altering original audit records. |
AU-8 | Time Stamps | | Use internal system clocks to generate time stamps for audit records. |
AU-9 | Protection of Audit Information | | Protect audit information & tools from unauthorized access, modification & deletion. |
AU-10 | Non-Repudiation | | Protect against an individual falsely denying having performed an action. |
AU-11 | Audit Record Retention | | Retain audit records for security investigations. Meet regulatory and organizational data retention requirements. |
AU-12 | Audit Generation | | Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. |
AU-14 | Session Audit | | Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up. |
NIST 800-53 Security Assessment and Authorization (CA)
| Code | Title | AIMS | Description |
|---|---|---|---|
CA-1 | Security Assessment and Authorization |  | Formalize security assessment. Implement security assessments of authorization policies and internal controls. |
CA-2 | Security Assessments | | Assess security controls to determine effectiveness and produce security reports, documentation, and graphs. |
CA-5 | Plan of Action Milestones | | Determine actions and milestones as part of a security assessment to reduce or eliminate system vulnerabilities. |
CA-6 | Security Authorization | | Assign authorizing roles in systems and workflow for processing authorizations before commencing operations. |
CA-7 | Continuous Monitoring | | Continuously monitor configuration management processes. Determine security impact, environment and operational risks. |
NIST 800-53 Identification and Authentication (IA)
| Code | Title | AIMS | Description |
|---|---|---|---|
IA-1 | Identification and Authentication | | Automate identity and authentication policies. Coordinate organizational entities. Streamline compliance operations. |
IA-2 | Identification and Authentication (Org) | | Identify and authenticate organization users and processes. |
IA-4 | Identifier Management | | Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. |
IA-5 | Authentication Management | | Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. |
IA-6 | Authentication Feedback | | Obscure authentication feedback during authentication process. Protect authentication information from exploitation. |
IA-7 | Cryptographic Module Authentication | | Authentication to a cryptographic module that meet applicable legal requirements. |
IA-8 | Identification and Authenticate (Non-Org) | | Identify and authenticate non-organizational users and processes. |
NIST 800-53 Risk Assessment (RA)
| Code | Title | AIMS | Description |
|---|---|---|---|
RA-1 | Risk Assessment Policy and Procedures |  | Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance. |
RA-2 | Security Categorization | | Categorize information and system in accordance with applicable laws, Executive Orders, regulations and standards. |
RA-3 | Risk Assessment | | Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction. |
RA-5 | Vulnerability Scanning | | Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. |