Are you architecting a cloud or information system (e.g., IoT, ICS, or network systems) in accordance with FISMA or NIST compliance?
Do you want to assess or verify if your system is FISMA or NIST compliance?
CSAT (Cloud Security Architecture Tool) is the right tool for you to do these. It helps you to leverage the Cybersecurity Framework (CSF) to properly identify the NIST SP 800-53 security and privacy controls for an information system. These controls provide the FIPS 200 Minimum Security Requirements to support the missions and services that the system is designed for.
NIST SP 800-53 is a specification that provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).
CSAT provides a user-friendly tool for organizations to properly “SELECT” Security and Privacy Controls by following the FISAM and NIST information security standards and guidelines, such as SP-800-53 as shown in right Figure.
Without a tool, organizations do this in spreadsheets and documents. Such a paper-based method is ineffective and out-of-date the day after they are written, and often leave the critical risks undiscovered or unaddressed.
“People even have the difficulty to correctly select the security controls and manage the risks in an information system”, according to CEO Dr. Bin Xie.
“CSAT makes the job ease, fast, trackable, correct, cost-saving, and user-friendly,” he says. “It helps organization to choose a minimal set of these security controls to provide sufficient security protection in an information system.”
More importantly, the development cost could be greatly saved as CSAT allows an organization to operate with minimum residual risks while meeting the FISMA requirements and the Presidential Order mandates. This is because the implementation of a security and privacy control is costly, e.g., millions of U.S. dollars.
Thanks for the NIST’s tremendous efforts of prototyping CSAT:
https://github.com/usnistgov/CloudSecurityArchitectureTool-CSAT
CSAT at InfoBeyond improves the prototype into a useful product with many functions, developed under a NIST SBIR program, supervised by Dr. Michaela Iorga who is Senior Security Technical Lead for Cloud Computing Chair and NIST Cloud Computing Security WG Co-Chair.
CSAT fills the security gap between the NIST authoring specification and the actual implementation of the information system, reducing the security vulnerabilities due to the misconfiguration of policies. This gap cannot be mitigated by enhancing the cryptographic primitives or protocols.