THE INFORMATION IN THIS ARTICLE APPLIES TO:
EFT v7.4.x and later
DISCUSSION
Summary
Although and FISMA and FedRAMP are separate initiatives, with the former initially focused on on-premises governmental systems, and the latter focused on cloud-based deployments, they are both closely tied to NIST Special Publication (SP) 800-53A revision 4 controls. These controls can be leveraged by organizations seeking compliance with either standard, for planned or implemented software ecosystems that fall within the scope of these standards; however, because these ecosystems are largely comprised of a number of third party enterprise software applications and middleware, it is incumbent on the organization seeking compliance to ensure that the third-party software solutions being deployed will facilitate, rather than detract from, their compliance efforts.
Mapping Table
NIST SP 800-53A Security Controls | NIST 800-171 | Globalscape Solution Mapping | |
No. | Control | CUI No. | EFT |
AC-1 | ACCESS CONTROL POLICY AND PROCEDURES | Customer Responsibility (CR) and/or Inherited Controls (IC) | |
AC-2 | ACCOUNT MANAGEMENT | 3.1.1,3.1.2 | EFT provides a comprehensive set of built-in account management controls, including flexible authentication manager (directory) services and permissions (authorization) systems. |
AC-3 | ACCESS ENFORCEMENT | 3.1.1,3.1.2 | EFT provides numerous mechanisms for controlling and enforcing access. |
AC-4 | INFORMATION FLOW ENFORCEMENT | 3.1.3 | EFT provides a hierarchal permissions management system similar to how Active Directory permissions works. |
AC-5 | SEPARATION OF DUTIES | 3.1.4 | EFT separates (logically and functionality) administrator from end user (consumer) permissions. |
AC-6 | LEAST PRIVILEGE | 3.1.5, 3.1.6, 3.1.7 | While mainly the responsibility of the customer, EFT provides mechanisms to limit what authorized administrators can do. |
AC-8 | SYSTEM USE NOTIFICATION | 3.1.9 | as web client is fully customizable (ToS, Privacy, etc.) |
AC-17 | REMOTE ACCESS | 3.1.1,3.1.2 | EFT provides a number of access controls for securing remote administrative access. |
AC-18 | WIRELESS ACCESS | 3.1.16 | See mobile access |
AC-19 | ACCESS CONTROL FOR MOBILE DEVICES | 3.1.18 | EFT provides access controls for mobile users (not administrators) that control security on the native mobile app and within EFT (via authorization and ACLs) |
AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS | 3.1.20 | CR/IC |
AT-1 | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES | 3.2.1-2 | CR/IC |
AT-2 | SECURITY AWARENESS TRAINING | 3.2.1, 3.2.2 | CR/IC |
AT-3 | ROLE-BASED SECURITY TRAINING | 3.2.1, 3.2.2 | CR/IC |
AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | CR/IC | |
AU-2 | AUDIT EVENTS | 3.3.1, 3.3.2,3.3.3 | EFT provides a complete audit and logging trail. |
AU-3 | CONTENT OF AUDIT RECORDS | 3.3.1, 3.3.2 | EFT captures all relevant metadata around transactional (end user) and administrative events. |
AU-4 | AUDIT STORAGE CAPACITY |
| CR/IC |
AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | 3.3.4 | CR/IC |
AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | 3.3.1, 3.3.2, 3.3.5 | EFT offers a comprehensive set of reports as an optional component. |
AU-8 | TIME STAMPS | 3.3.7 | EFT audits timestamps. It is up to the customer to configure the operating system to sync with authoritative time sources. |
AU-9 | PROTECTION OF AUDIT INFORMATION | 3.3.8, 3.3.9 | CR/IC |
AU-12 | AUDIT GENERATION | 3.3.1, 3.3.2 | EFT offers all necessary controls to enable auditing, determine source of audit logs (database type), control over log level, etc. |
CA-1 | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
| CR/IC |
CA-3 | SYSTEM INTERCONNECTIONS |
| Although mainly determined by customer, EFT provides a robust integration framework (Event Rules engine) that facilitates integration with 3rd party systems. |
CM-1 | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| CR/IC |
CM-2 | BASELINE CONFIGURATION | 3.4.1, 3.4.2 | CR/IC |
CM-3 | CONFIGURATION CHANGE CONTROL | 3.4.3 | CR/IC |
CM-5 | ACCESS RESTRICTIONS FOR CHANGE | 3.1.5 | EFT utilizes access controls to restrict access; however, it is the customer's responsibility to establish and documents usage restrictions, configuration/connection requirements, and implementation guidance |
CM-6 | CONFIGURATION SETTINGS | 3.4.1, 3.4.2 | CR/IC |
CM-7 | LEAST FUNCTIONALITY | 3.4.6, 3.4.7,3.4.8 | for administrators via granular admin roles with diminished privileges to end user authorization and controls. |
CM-8 | INFORMATION SYSTEM COMPONENT INVENTORY | 3.4.1, 3.4.2 | CR/IC |
CM-9 | CONFIGURATION MANAGEMENT PLAN | CR/IC | |
CM-11 | USER-INSTALLED SOFTWARE | 3.4.9 | CR/IC |
CP-1 | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| EFT provides the ability to configure high availability active-passive (N-1) or active-active clusters, back-up and restore configuration, and export of configuration settings for easy migration to DR site. |
CP-2 | CONTINGENCY PLAN |
| See CP1, but ultimately is the customer's responsibility. |
CP-6 | ALTERNATE STORAGE SITE |
| CR/IC |
CP-7 | ALTERNATE PROCESSING SITE |
| CR/IC |
CP-8 | TELECOMMUNICATIONS SERVICES |
| CR/IC |
CP-9 | INFORMATION SYSTEM BACKUP |
| CR/IC |
CP-10 | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| CR/IC |
IA-1 | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| CR/IC |
IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | 3.5.1-4 | CR/IC |
IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATION | No map | EFT identifies all devices that connect to it via a combination of IP address, username, password, and 2nd factor authentication if configured. EFT also provides an IP access and ban list to filter unauthorized IP addresses. |
IA-4 | IDENTIFIER MANAGEMENT | 3.5.5,3.5.6 | Yes |
IA-5 | AUTHENTICATOR MANAGEMENT | 3.5.1-2, 3.5.7-10 | Yes |
IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| EFT provides a wide variety of encryption methods for KEX, transmission, message/data encryption and signing, receipt signing, and encryption of data at rest. Standards include SSL/TLS, FIPS, PGP, and so on. |
IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
| EFT provides mechanisms for authentication and authorizing users that are not part of the organization, including self-provisioning, with full control and audit trail for administrator control. |
IR-1 | INCIDENT RESPONSE POLICY AND PROCEDURES |
| CR/IC |
IR-4 | INCIDENT HANDLING | 3.6.1-2 | CR/IC |
IR-5 | INCIDENT MONITORING | 3.6.1-2 | CR/IC |
IR-6 | INCIDENT REPORTING | 3.6.1-2 | CR/IC |
IR-8 | INCIDENT RESPONSE PLAN |
| CR/IC |
MA-1 | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| CR/IC |
MP-1 | MEDIA PROTECTION POLICY AND PROCEDURES |
| CR/IC |
MP-2 | MEDIA ACCESS | 3.8.1-3 | CR/IC |
MP-4 | MEDIA STORAGE | 3.8.1-3 | CR/IC |
MP-5 | MEDIA TRANSPORT | 3.8.5-6 | CR/IC |
MP-6 | MEDIA SANITIZATION | 3.8.1-3 | CR/IC |
MP-7 | MEDIA USE | 3.8.7-8 | CR/IC |
PE-1 | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| CR/IC |
PE-2 | PHYSICAL ACCESS AUTHORIZATIONS | 3.10.1, 3.10.2 | CR/IC |
PE-3 | PHYSICAL ACCESS CONTROL | 3.10.3-5 | CR/IC |
PE-4 | ACCESS CONTROL FOR TRANSMISSION MEDIUM | 3.10.1, 3.10.2 | CR/IC |
PE-6 | MONITORING PHYSICAL ACCESS |
| CR/IC |
PE-9 | POWER EQUIPMENT AND CABLING |
| CR/IC |
PE-10 | EMERGENCY SHUTOFF |
| CR/IC |
PE-11 | EMERGENCY POWER |
| CR/IC |
PE-12 | EMERGENCY LIGHTING |
| CR/IC |
PE-13 | FIRE PROTECTION |
| CR/IC |
PE-14 | TEMPERATURE AND HUMIDITY CONTROLS |
| CR/IC |
PE-15 | WATER DAMAGE PROTECTION |
| CR/IC |
PL-1 | SECURITY PLANNING POLICY AND PROCEDURES |
| CR/IC |
PL-2 | SYSTEM SECURITY PLAN |
| CR/IC |
PL-8 | INFORMATION SECURITY ARCHITECTURE |
| While this is a customer responsibility, EFT security features support a defense-in-depth strategy. |
PS-1 | PERSONNEL SECURITY POLICY AND PROCEDURES |
| CR/IC |
PS-2 | POSITION RISK DESIGNATION |
| CR/IC |
PS-3 | PERSONNEL SCREENING |
| CR/IC |
PS-4 | PERSONNEL TERMINATION |
| CR/IC |
PS-7 | THIRD-PARTY PERSONNEL SECURITY |
| CR/IC |
RA-1 | RISK ASSESSMENT POLICY AND PROCEDURES |
| CR/IC |
RA-2 | SECURITY CATEGORIZATION |
| CR/IC |
RA-3 | RISK ASSESSMENT | 3.11.1 | CR/IC |
RA-5 | VULNERABILITY SCANNING | 3.11.2,3.11.3 | CR/IC |
SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| CR/IC |
SA-2 | ALLOCATION OF RESOURCES |
| CR/IC |
SA-3 | SYSTEM DEVELOPMENT LIFE CYCLE |
| While this is a customer responsibility, EFT, as part of broader system, is based on a "security by design" principle. When configured properly and used with the corresponding DMZ Gateway product, the solution can be deployed in a matter that significantly reduces attack vectors, thus complying with this directive. |
SA-4 | ACQUISITION PROCESS |
| CR/IC |
SA-8 | SECURITY ENGINEERING PRINCIPLES |
| CR/IC |
SA-9 | EXTERNAL INFORMATION SYSTEM SERVICES |
| Globalscape's EFT software complies with many organizational information security requirements as defined in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; |
SA-10 | DEVELOPER CONFIGURATION MANAGEMENT |
| Globalscape's EFT software repository is subject to formal configuration management controls for source control, including revisions, access, builds, commits, etc. |
SA-11 | DEVELOPER SECURITY TESTING AND EVALUATION |
| Globalscape's EFT software undergoes security testing and evaluation by nature of all new feature designs or refactors being subjected to architectural oversight committees, code peer reviews, adherence to standards such as OWASP, and post build security assessment tools such as HTBridge and Qualsys |
SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| CR/IC |
SC-2 | APPLICATION PARTITIONING |
| While this is a customer responsibility, EFT separates admin and user functionality |
SC-4 | INFORMATION IN SHARED RESOURCES |
| if configured properly, EFT's access controls prevent unauthorized information transfer. EFT also supports the ICAP protocol for integrating with 3rd party data loss prevention and classification systems, to further control information sharing. |
SC-5 | DENIAL OF SERVICE PROTECTION |
| EFT provides built in controls for mitigating the effects of DoS and Flood attacks. |
SC-7 | BOUNDARY PROTECTION |
| While this is a customer responsibility, Globalscape provides a secure smart proxy solution that can be coupled with EFT to protect the network boundary (DMZ). |
SC-8 | TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
| EFT uses secure protocols to protect the confidentiality and integrity of transmitted information. |
SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| Yes |
SC-13 | CRYPTOGRAPHIC PROTECTION |
| Yes |
SC-15 | COLLABORATIVE COMPUTING DEVICES |
| CR/IC |
SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
| Yes |
SC-19 | VOICE OVER INTERNET PROTOCOL |
| CR/IC |
SC-20 | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
| CR/IC |
SC-21 | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
| CR/IC |
SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| CR/IC |
SC-23 | SESSION AUTHENTICITY |
| EFT provides numerous internal controls for establishing and maintaining session authenticity and integrity, including support for various secure headers in compliance with OWASP recommended practices to mitigate against XFS, XSS, CRSS, etc. |
SC-28 | PROTECTION OF INFORMATION AT REST |
| Yes |
SC-39 | PROCESS ISOLATION |
| Yes |
SI-1 | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| CR/IC |
SI-2 | FLAW REMEDIATION |
| CR/IC |
SI-3 | MALICIOUS CODE PROTECTION |
| EFT includes built-in Known-Answer-Tests (KAT), and CRC checksums on application startup for valid configuration. |
SI-4 | INFORMATION SYSTEM MONITORING |
| CR/IC |
SI-5 | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
| CR/IC |
SI-7 | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| CR/IC |
SI-10 | INFORMATION INPUT VALIDATION |
| EFT provides comprehensive checks around input validation for both user and administrative functions. |
SI-16 | MEMORY PROTECTION |
| EFT includes several measures to protect against memory corruption as afforded by the compilation software which builds the object code that comprises the EFT solution. |