Subcontrol 5.5

[adammontville]

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

Measures

None provided

Metrics

Boolean Value = SCAP compliant or not

[apiperCIS]

Question: Are we requiring an alert when the setting is changed from its approved value, or only if the setting is still configured to the unapproved value at the time of the next scan?

[apiperCIS]

UNCC Metrics: number of non-compliant settings number of unreported exceptions number of total config settings time between scans

[wmunyan]

Inputs:

• The organization's configuration monitoring system
• The list (maintained by NIST) of SCAP-validated tools
• The list of endpoints
• The inventory and mappings of secure configuration policy(ies) to the list of endpoints
• The list of approved exceptions, mapped to the endpoints on which they are approved (i.e. some endpoints may be excepting certain configurations, but others under the same configuration policy may not).
• The organization's approved configuration scanning interval (at least weekly)

Operations:

• (Manual) Ensure the configuration scanning tool (Input 1) is present in the list of SCAP-validated tools (Input 2).
• For each endpoint, obtain the configuration assessment results using Input 1
• For each assessment result in Operation 2, obtain the list of recommendations which map to the catalog of approved exceptions for that endpoint.
• Following the time period specified by Input 6, re-assess to obtain a comparative assessment result

Measures:

• M1 = 1 if Operation 1 indicates the organization's scanning tool is present in the list of SCAP-validated tools; 0 otherwise
• M2 = (For each endpoint) The number of non-compliant recommendations resulting from Operation 2
• M3 = (For each endpoint) The number of non-compliant recommendations that do not map to the catalog of approved exceptions for the endpoint
• M4 = (For each endpoint) The number of non-compliant recommendations resulting from Operation 4
• M5 = (For each endpoint) The number of non-compliant recommendations that do not map to the catalog of approved exceptions for the endpoint
• M6 = (For each endpoint) The number of recommendations assessed
• M7 = (For each endpoint) The number of approved configuration policy exceptions

Metrics:

• SCAP-validated tool = M1 == 1
• SCAP-validated tool ratio = Number of SCAP-validated tools / Total number of configuration mgmt tools
• Initial non-compliance ratio = M2 / M6
• Initial exception coverage = (M7 - M3) / M7
• Subsequent non-compliance ratio = M4 / M6
• Subsequent exception coverage (M7 - M5) / M7

NOTE This doesn't cover anything about alerts on unauthorized changes NOTE This sub-control is dependent on sub-control 5.1

[wmunyan]

Instead of using "subsequent" measurements, do measurements over a time period T