Compliance Frameworks
In response to increased cyberthreats, governments are enacting mandates and legislation. For example, in the U.S., Executive Order 14028 focuses on improving the security of the software supply chain. In the European Union, the Cyber Resilience Act — published by the European Commission in September 2022 — looks to ensure hardware and software products are placed on the market with fewer vulnerabilities. Such measures not only place new requirements on government agencies, they extend broadly to the organizations these agencies do business with, including cloud service providers, software development organizations, software as a service (SaaS) providers, hardware manufacturers, and virtually any organization creating digital products and services.
The legislative and regulatory changes in the U.S. are not limited to the federal government — they’re also cascading down to state and local governments. Likewise, in addition to the E.U. regulations, nations within the union may also have their own requirements. In the United States, for example, 36 states have enacted new cybersecurity laws in the past two years, with many more in the works as the public sector looks to mitigate the risk of cyberthreats.
Adding to government regulations, industries have also begun to define their own mandates in an effort to improve security posture and minimize risk to consumers and investors. One example of this is PCI DSS in the payment card industry.
For the security teams that must implement these mandates, the challenge is in translating what are often general legislative guidelines and controls into specific policies, tools, and processes. Further, security teams are responsible for enforcing those policies in a scalable and consistent way across the enterprise. For security teams working in multinational enterprises, these challenges are compounded exponentially.
The regulatory environment impacts all aspects of cybersecurity, including traditional IT infrastructure and operational technology. In order to understand how the regulatory environment affects cloud security, you first need an understanding of which regulations apply to your particular business. The table below highlights several regulations with broad sweeping cloud security implications — and the risks that come with non-compliance. Regulations and penalties with cloud security implications.
CIS Critical Security Controls v8 (CSCv8)
Origin: On May 18, 2021 CIS published version 8 of their Critical Security Controls and they provide specific and actionable ways to protect against today's most pervasive and dangerous attacks.
Requirement: The Critical Security Controls are created for organizations of any size or sector.
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| Inventory and Control of Enterprise Assets |
CSCv8|1.* |
| Inventory and Control of Software Assets | CSCv8|2.* |
| Data Protection | CSCv8|3.* |
| Secure Configuration of Enterprise Assets and Software | CSCv8|4.* |
| Account Management | CSCv8|5.* |
| Access Control Management | CSCv8|6.* |
| Continuous Vulnerability Management | CSCv8|7.* |
| Audit Log Management | CSCv8|8.* |
| Email and Web Browser Protections | CSCv8|9.* |
| Malware Defenses | CSCv8|10.* |
| Data Recovery | CSCv8|11.* |
| Network Infrastructure Management | CSCv8|12.* |
| Network Monitoring and Defense | CSCv8|13.* |
| Security Awareness and Skills Training | CSCv8|14.* |
| Service Provider Management | CSCv8|15.* |
| Application Software Security | CSCv8|16.* |
| Incident Response Management | CSCv8|17.* |
General Data Protection Regulation (GDPR)
Origin: Approved by the European Union in 2016, GDPR looks to enforce data protection guidelines for the collection and processing of personal information for anyone living in the European Union.
Requirement: Applies to any entity with a website that attracts European visitor traffic, whether that entity is actively marketing to EU residents or not. Data breaches must be reported within 72 hours.
TVM Search Pattern: Compliance Framework = GDPR
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| 32 Security of processing |
GDPR|32.* |
Health Insurance Portability and Accountability Act (HIPAA)
Origin: Passed by the U.S. Congress, the intent of the HIPAA Privacy Rule is to limit the use and disclosure of electronically protected healthcare information (ePHI), such as medical records, without explicit authorization by individuals.
Requirement: The regulation applies to healthcare providers, health plans, and healthcare clearinghouses that conduct healthcare transactions electronically.
TVM Search Pattern: Compliance Framework = HIPAA
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| 164.306 Security standards: General rules |
HIPAA|164.306* |
| 164.308 Administrative safeguards |
HIPAA|164.308* |
| 164.312 Technical safeguards |
HIPAA|164.312* |
ISO/IEC 27001
Origin: Many organizations, especially multinationals, have chosen to utilize ISO/IEC 27001/27002 frameworks to help them continually identify security gaps, comply with numerous compliance requirements and obtain international certification.
Requirement: The ISO 27001, a broadly recognized standard for information security management systems (ISMS). While not directly provided by ISO, organizations can obtain third-party certification of compliance with ISO 27001.
TVM Search Pattern: Compliance Framework = ISO/IEC-27001
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| A 6 - Organization of information security |
ISO/IEC-27001|A.6.* |
| A 8 - Asset management |
ISO/IEC-27001| A.8.* |
| A 9 - Access control |
ISO/IEC-27001| A.9.* |
| A10 - Cryptography |
ISO/IEC-27001| A.10.* |
| A11 - Physical and environmental security |
ISO/IEC-27001| A.11.* |
| A12 - Operations security |
ISO/IEC-27001| A.12.* |
| A13 - Communications security |
ISO/IEC-27001| A.13.* |
IT Security Risk Management: A Lifecycle Approach (ITSG-33)
Origin: Released in November 2012, the ITSG-33 publication describes the roles, responsibilities, and activities that help (Government of Canada) GC departments manage IT security risks.
Requirement: The ITSG-33 was developed as a series of guidelines for security practitioners to manage information technology (IT) security risks for Government of Canada (GC) information systems.
Search Pattern: Compliance Framework =
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| CONFIGURATION MANAGEMENT |
ITSG-33|CM* |
| AUDIT AND ACCOUNTABILITY |
ITSG-33|AU* |
| MEDIA PROTECTION |
ITSG-33|MP* |
| SYSTEM AND SERVICES ACQUISITION |
ITSG-33|SA* |
| MAINTENANCE |
ITSG-33|MA* |
| SECURITY ASSESSMENT AND AUTHORIZATION |
ITSG-33|CA* |
| SYSTEM AND COMMUNICATIONS PROTECTION |
ITSG-33|SC* |
| IDENTIFICATION AND AUTHENTICATION | ITSG-33|IA* |
| SYSTEM AND INFORMATION | ITSG-33|SI* |
| CONTINGENCY PLANNING (CONTINUITY PLANNING) | ITSG-33|CP* |
| RISK ASSESSMENT | ITSG-33|RA* |
| ACCESS CONTROL | ITSG-33|AC* |
| INCIDENT RESPONSE | ITSG-33|IR* |
| AWARENESS AND TRAINING | ITSG-33|AT* |
Payment Card Industry Data Security Standard (PCI DSS)
Origin: Released in December 2004, PCI DSS was an industry-led initiative created to better manage cardholder data and reduce credit card fraud. The Standard was defined by the PCI Security Standards Council (PCI SSC), which includes American Express, Visa, MasterCard, Discover, and others.
Requirement: While not a federal regulation, the industry standard is mandatory for all entities that store, process, and/or transmit cardholder data. The standard includes specific cloud computing guidelines which provide guidance on the use of cloud technologies and for maintaining controls in cloud environments.
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| Build and Maintain a Secure Network and Systems |
PCI-DSSV4.0|1.* |
| Protect Account Data |
PCI-DSSV4.0|3.* |
| Maintain a Vulnerability Management Program |
PCI-DSSV4.0|5.* |
| Implement Strong Access Control Measures |
PCI-DSSV4.0|7.* |
| Regularly Monitor and Test Networks |
PCI-DSSV4.0|10* |
NIST Cyber Security Framework (CSF)
Origin: Developed by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (CSF) is composed of best practice guidelines to help organizations identify, implement, and enhance their cybersecurity practices and use a common language to communicate issues to stakeholders.
Requirement: All federal government agencies and any federal contractors handling government data must be NIST-compliant. Contractors that fail to meet NIST compliance (or have a history of NIST non-compliance) risk losing future contracts.
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| Protect |
CSF|PR.* |
| Respond |
CSF|RS.* |
| Recover |
CSF|RC.* |
| Detect |
CSF|DE.* |
| Identify |
CSF|ID.* |
NIST SP 800-171
Origin: NIST Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, defines the type of security requirements service providers are likely to be contractually obligated to.
Requirement: The U.S. Government must safeguard Controlled Unclassified Information (CUI) and Covered Defense Information. Consequently, civilian agencies and the DoD contractually obligate many nonfederal organizations that process, store, or transmit protected information to comply with NIST SP 800-171. These nonfederal service providers must monitor and assess SP 800-171 controls to obtain permission to operate and safeguard CUI on an ongoing basis.
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| 3. 1 ACCESS CONTROL |
800-171|3.1.* |
| 3. 2 AWARENESS AND TRAINING |
800-171|3.2.* |
| 3. 3 AUDIT AND ACCOUNTABILITY |
800-171|3.3.* |
| 3. 4 CONFIGURATION MANAGEMENT |
800-171|3.4.* |
| 3. 5 IDENTIFICATION AND AUTHENTICATION |
800-171|3.5.* |
| 3. 6 INCIDENT RESPONSE | 800-171|3.6.* |
| 3. 7 MAINTENANCE | 800-171|3.7.* |
| 3. 8 MEDIA PROTECTION | 800-171|3.8.* |
| 3.11 RISK ASSESSMENT | 800-171|3.11.* |
| 3.12 SECURITY ASSESSMENT | 800-171|3.12.* |
| 3.13 SYSTEM AND COMMUNICATIONS PROTECTION | 800-171|3.13.* |
| 3.14 SYSTEM AND INFORMATION INTEGRITY | 800-171|3.14.* |
NIST SP 800-53r5
Origin: The NIST 800-53 provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.
Requirement: Most U.S. federal information systems must base their security and privacy controls in NIST Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. However, compliance is not limited to the federal government. Many other organizations are required to comply with SP 800-53.
| TVM Compliance Family | TSC Cross Reference |
|---|---|
| AWARENESS AND TRAINING |
800-53|AT* |
| INCIDENT RESPONSE |
800-53|IR* |
| RISK ASSESSMENT |
800-53|RA* |
| ACCESS CONTROL |
800-53|AC* |
| IDENTIFICATION AND AUTHENTICATION |
800-53|IA* |
| SYSTEM AND COMMUNICATIONS PROTECTION | 800-53|SC* |
| CONTINGENCY PLANNING | 800-53|CP* |
| MAINTENANCE | 800-53|CA* |
| SECURITY ASSESSMENT AND AUTHORIZATION | 800-171|3.11.* |
| SYSTEM AND SERVICES ACQUISITION | 800-53|SA* |
| PLANNING | 800-53|PL* |
| CONFIGURATION MANAGEMENT | 800-53|CM* |
| AUDIT AND ACCOUNTABILITY | 800-53|AU* |
| MEDIA PROTECTION | 800-53|MP* |
| PROGRAM MANAGEMENT | 800-53|PM* |
| SYSTEM AND INFORMATION INTEGRITY | 800-53|SI* |
Fortunately, a number of federal and industry sponsored organizations have been established to help enterprise and government organizations improve their cybersecurity posture. These organizations collect best practices and define risk frameworks, as well as supporting cybersecurity controls and benchmarks.
Frameworks provide a set of processes, best practices, and specifications to help organizations assess and manage risk. They lay the foundation for effective cybersecurity programs.
Controls identify ‘what should happen’ in order to mitigate a specific category of risk. Inventory of software assets, data protection, and secure configuration are examples of control categories. Each control category has a set of safeguards outlining what steps should be taken.
Benchmarks take the concept of controls to the next level, providing prescriptive guidance on how to implement and configure specific technology, such as cloud instances, applications, and identities, in a secure way.
In Tenable Vulnerability Management, a user is able to filter their compliance data by compliance framework by using the Compliance Framework filter.
The Compliance Framework filter looks at the Reference Information section of the finding to determine which frameworks the audit check is related to.
In Tenable Security Center, a user is able to filter their compliance data by compliance framework by using the Cross References filter.
Each of the audit file types has a corresponding plugin ID; however, in Tenable Security Center, the audit file plugin ID is not used. In Security Center when you install an audit file, a new plugin higher than plugin ID 1000000 is created for each check. To retain the audit file type, there is a cross reference called “auditFile." In the Reference Information of the Vulnerability Detail List tool, you can see the auditFile value. When adding a filter for the audit file type, the XREF Type, left side of the pipe (|), is the auditFile type. To the right of the pipe (|), the XREF ID is placed. For example, “auditFile|bluecoat” would locate any audit check used to audit a Bluecoat configuration. There are currently 47 auditFile types:
It is important to note that when looking at the cross references in the Vulnerability details section, the cross reference appears to be separated using a colon (GDPR:32.1b); to search for this specific cross reference you would replace the colon with a pipe (GDPR|32.1b).