Don't Lose your ATO! Key Changes in NIST 800-53r5 and the Importance of Adopting a Red Team Testing Regimen

By Erik Dominguez

Introduction

As the world of cybersecurity continues to evolve, organizations are constantly updating their frameworks and guidelines to effectively manage and mitigate cyber threats. One crucial guideline is the National Institute of Standards and Technology's Special Publication 800-53 (NIST SP 800-53). The FedRAMP program adopted the NIST SP 800-53 guideline and is currently transitioning from Revision 4 to Revision 5.

In this post we will delve into the changes brought about by this adoption with a focus on why annual penetration tests alone are no longer sufficient. Now companies will need to go beyond surface level assessments and instead implement Red Team exercises as outlined in CA-8(2) of Revision 5.

A Brief Overview: NIST 800 53r4 vs NIST 800 53r5

Both Rev. 5 and Rev. 4 serve the purpose of safeguarding information systems against cyber threats. These guidelines encompass a wide range of security controls grouped into families such as Access Control and Audit and Accountability. The latest revision introduces changes to control reclassification, expanded scope, and explicit requirements for triggering tests.

Why Traditional Penetration Testing Falls Short

While traditional penetration tests play a role in identifying vulnerabilities at a point in time, pen tests have limitations. FedRAMP penetration tests typically follow a "gray box" approach to allow for testing of environments. This means that pen tests don't typically simulate real world, advanced persistent threats that may involve attacks from multiple angles, internal threats, or compromised credentials.

Red team exercises delve deeper than penetration tests by simulating “a hacker is in the network” scenarios. Through red team exercises organizations not only identify vulnerabilities but also uncover weaknesses in defensive capabilities and improve incident response measures.

CA-8(2) Requires Simulated Adversarial Behavior

CA 8(2) mandates the simulation of adversarial behavior to assess the system's resilience against sophisticated cyber threats and attacks. Such behavior includes actions like evading antivirus software exfiltrating data without detection and removing any trace of compromise. At EIT we employ the MITRE ATT&CK Framework for red team exercises. An industry standard recognized by the Federal Government. This ensures that our simulated exercises closely align with the advanced persistent threats that organizations could realistically encounter.

Physical Realm: Physical Penetration Testing

In terms of physical security controls and deterring access to facilities, CA-8(3) stresses the importance of red teaming. This involves testing physical area defenses through tactics like tailgating attempts, lock picking endeavors, or even social engineering techniques aimed at gaining remote or physical access.

The main goal is to identify weaknesses that could be exploited to gain access to assets or sensitive information. The approach taken by CA-8(2) and CA-8(3) incorporates both digital and physical aspects in the testing process, which provides a new approach to security for many organizations. This is a departure from testing methods that treated physical security as separate entities.

Dual Reporting: Red Team Report and Penetration Test Report

To ensure reporting that complies with the new Rev 5 baseline, organizations must now submit two reports; a Red Team report and a Penetration Test report. This means organizations cannot solely rely on yearly penetration testing as a means for compliance.

The Red Team report should outline simulated attack scenarios, techniques used, and the organization's ability to defend against and detect attacks. The Penetration Test report must focus on identified vulnerabilities, potential data breaches, and recommendations for actions. It is important that penetration tests include attack vectors specified in the FedRAMP penetration test guidance publication.

By mandating both reports, NIST 800-53r5 and the FedRAMP PMO ask organizations to not only identify vulnerabilities, but also evaluate their defenses against real world cyberattacks.

Adapt and Adopt or Lose your ATO

Organizations need to respond to the changes outlined in NIST 800-53r5. Failure to adapt could result in non-compliance of Rev. 5 requirements, leaving your information systems exposed to cyber threats and your products out of reach of Federal contracts. Consider these steps for adoption:

1. Expand Testing Scope: Go beyond the usual penetration testing. Include red team exercises. Remember, this is a mandated requirement.
2. Involve Independent Teams: Ensure that the teams conducting these tests are independent and possess the skills to simulate cyberattacks.
3. Review and Update Policies: Make sure your cybersecurity policies align with the new requirements.
4. Engage Leadership: Bring cybersecurity discussions into the boardroom. With increased reporting expectations leadership must actively understand reports. Guide the organizations cybersecurity strategy.

Conclusion

NIST 800-53 Revision 5 introduces a framework for securing information systems and testing the capabilities of defending these systems from attackers. It's essential for organizations to move beyond penetration testing. FedRAMP mandates red teaming to ensure resilience, compliance, and strong security amidst an evolving cyber warfare landscape.

For assistance in adapting to these guidelines reach out to EIT - your trusted partner in navigating complex cybersecurity compliance challenges.