Addressing the Needs of Government Organizations Using CORE IMPACT Penetration Testing

Government organizations were among the earliest adopters of penetration testing and have played a highly influential role in developing the practice since its formative years.

Today, more government entities are performing pen testing than ever before based on its recognition as a central element of mature IT security programs – and the increasing range of regulations that require agencies to conduct more frequent assessments.

By enabling government organizations to test their resiliency against real-world threats and attempted data theft, and helping them address vulnerabilities across networks, endpoints, web applications and wireless networks, CORE IMPACT (available on the GSA Schedule; contract #: GS-35F-0494T) has established its place as the leading penetration testing solution on the market.

With a significant number of long-standing customers in the government space, CORE IMPACT has proven itself as the only automated penetration testing solution that can meet the unique demands of organizations throughout the federal, state and local sectors.

Please review the below resources for more information about CORE IMPACT’s use in government IT environments:

• Documents
• Presentations
• Speaking Engagements
• Relevant Legislation

Documents

• FISMA: Complying with NIST SP 800-53a
  The NIST Special Publication (SP) 800 documents establish penetration testing as the preferred method for auditing security controls under the Federal Information Systems Management Act (FISMA). View details of NIST Special Publication 800-53A (Appendix G) which calls for penetration testing that exploits vulnerabilities and demonstrate how security controls have been tested.

• Consensus Audit Guidelines: Complying with CAG Control 17
  In 2009, a consortium of United States federal agencies and their private-sector partners (DoD, DHS, NIST, SANS) released the Consensus Audit Guidelines (CAG), a set of twenty IT security controls recommended for adoption across all U.S. government agencies. View details of CAG Control 17, which advocates penetration testing, and other controls where the process also applies.

• White Paper: CORE IMPACT Penetration Testing and the Consensus Audit Guidelines
  This paper provides details on individual Consensus Audit Guidelines (CAG) controls that can either be achieved or optimized via the use of the CORE IMPACT Pro automated penetration testing solution, as well as those wherein use of the solution can help meet individual elements of the guidelines.

• White House: 60-Day Cyberspace Policy Review
  In 2009, the Obama Administration published the results of its 60-day national cyber-security policy review which addresses a wide range of challenges facing government agencies and their private sector partners in improving the nation’s ability to prepare for and respond to potential cyber-security incidents. Many of the report’s conclusions indicate that more frequent penetration testing could serve as a key process in affecting necessary changes.

• CSIS Cyber-Security Recommendations: Exploit Testing
  In its landmark report, “Securing Cyberspace for the 44th Presidency,” the Center for Strategic and International Studies specifically recommends greater use of vulnerability and exploit testing to improve the nation’s cyber-security standing within several different contexts. View details of the report and its directives regarding penetration testing.

• PCI: Complying with DSS Requirement 11.3
  Many government entities process payment card data and must comply with the PCI Data Security Standard including Requirement 11.3, which requires regular penetration testing. View details of PCI penetration testing guidelines and the manner in which organizations can address mandated audits using CORE IMPACT solutions.

• CORE IMPACT Product Overview
  Get a high-level overview of CORE IMPACT and its revolutionary automated penetration testing capabilities, which allow government agencies to quickly isolate and exploit a broad range of IT vulnerabilities and address multiple public-sector security standards.

• CORE IMPACT Pro Business Case/Cost Justification

• Commonwealth of Pennsylvania Case Study
  
  
• State of South Carolina CIO Case Study

Presentations

• Aligning Your Agency with FISMA and NIST via Proactive Security Testing
  IT security and compliance expert Mike Rothman outlines the specific pen testing requirements of NIST SP 800-53a and explains how automated security testing solutions enable government agencies to accelerate their assessments and prove due diligence to third-party FISMA auditors.

• "All Roads Lead to Rome: How Cyber Terrorists are Exploiting Digital America"
  A must-listen, on-demand webcast with cutting-edge intelligence from Tom Kellermann, Core Security vice president of security awareness, and an influential member of the government cyber-security and IT risk management community.

• Staying Ahead of Threats with John Pescatore
  Join distinguished analyst John Pescatore, of leading analyst firm Gartner, for insights into how IT security practices must evolve to mitigate the risks posed by today’s prolific threat environment.

• Comprehensive Penetration Testing with CORE IMPACT Pro
  View a recorded demonstration of network, endpoint, web application and wireless penetration testing with CORE IMPACT Pro.

Speaking Engagements

• Cyber Security: Developing a National Strategy - Testimony to United States Senate Homeland Security and Government Affairs Committee
• Origins of the Digital Insider – (ISC)2 Secure Americas
• GAO Panel Discussion on the National Cyber Security Strategy
• A Progressive Dimension: Cybersecurity and Privacy - Constitutional Implications in Homeland Security
  

Relevant Legislation

The following pending pieces of Congressional legislation currently endorse and/or may lead to specific requirements for mandated penetration testing:

• S.139: Data Breach Notification Act
• S.773: Cybersecurity Act of 2009
• S.920: Information Technology (IT) Investment Oversight Enhancement and Waste Prevention Act of 2009
• S.921: U.S. ICE Act of 2009
• S.946: Critical Electric Infrastructure Protection Act of 2009 (Senate Version)
• H.R.2165: Bulk Power System Protection Act of 2009
• H.R.2195: Critical Electric Infrastructure Protection Act of 2009 (House Version)
• H.R.2221: Data Accountability and Trust Act

Links of Interest to Government Professionals

• Blog: Paving the Road to International Cyber Security Progress
• Blog: Enhancing Post-Breach Situational Awareness and Forensics
• Blog: Realities of Cyber-War
• Blog: PA Saving Millions via Penetration Testing
• Blog: Driving Change in Federal Cyber-Security Policy
• Core News Coverage: Washington Post – Obama and Cyber Security
• Core News Coverage: CNN – Air Traffic Systems and Cyber Attacks
• Core News Coverage: AP – Spies Compromised U.S. Electric Grid
• Core News Release: Core Partners with Patton Boggs
• Core News Release: Core Partners with Patriot Technology

Government Contacts at Core Security

U.S. Federal Government
Telephone: (617) 695-1112
federalsales@coresecurity.com

U.S. State and Local Government
Government Outside the U.S.
Telephone: (617) 399-6980
sales@coresecurity.com