Addressing the Consensus Audit Guidelines with Vulnerability Management
In 2009, a consortium of United States federal agencies and their private-sector partners released the
Consensus Audit Guidelines (CAG), a set of twenty IT security controls that the group has recommended for adoption across all U.S. government agencies to improve protection of federal information systems and encourage organizations to implement methods for continuous compliance with the Federal Information Security Management Act (FISMA).
Authored by constituents including the Department of Defense (DoD), Department of Homeland Security (DHS) and National Security Agency (NSA), along with government agency CIOs, the National Institute of Standards and Technology (NIST) and private IT consulting, training and solutions providers, the CAG controls were written to dovetail with the latest version of the NIST 800-53 security mandate, which was comprehensively updated in February 2009. These NIST-issued guidelines are recognized as the de facto operational requirements for government agencies preparing for government IT security audits dictated by FISMA.
How Core Security Solutions Help
Among the listed CAG controls is one, Critical Control 17, which specifically calls for agencies to adopt proactive penetration testing and Red Team assessment exercises that can be addressed using CORE Impact Pro and CORE Insight Enterprise. Another, Critical Control 10, demands continuous vulnerability assessment and remediation, a process to which our solutions can lend tremendous benefits in validating and filtering results. There are also a number of other CAG controls that involve security programs to which penetration is relevant both as a functional process and in embracing the underlying spirit and intended goals of the measures.
CORE INSIGHT Enterprise offers capabilities that provide or validate 15 of the 20 controls recommended by the Consensus Audit Guidelines.