FISMA Compliance Report

The Federal Information Security Management Act (FISMA) provides a comprehensive framework that helps federal agencies implement processes and system controls that protect the security of data and information systems. FISMA is based on a set of standards and recommendations from technology agencies like the National Institute of Standards and Technology (NIST). NIST develops standards and guidelines, like the Special Publication 800-53 revision 4 (SP800-53r4), that federal agencies can use to build their FISMA compliance programs. The guide developed by NIST defines the minimum requirements for managing, operating, controlling, and operating information systems.

The FISMA Compliance Report attempts to help you assess where an organization stands in terms of compliance with specific FISMA requirements. Metasploit Pro reports findings for select requirements from the following families and security controls:

  • Access Control - AC7
  • Awareness and Training - AT-2
  • Configuration Management - CM-7
  • Identification and Authentication - IA-2, IA-5, and IA-7
  • Risk Assessment - RA-5
  • System and Information Integrity - SI-2 and SI-10

The report presents compliance results by indicating a pass or fail status for each FISMA requirement. The findings should be used as an appendix for FISMA requirements testing and not as an actual audit. For more information on each of these requirements, visit the National Vulnerability Database: http://web.nvd.nist.gov/view/800-53/Rev4.

To help you navigate through the data to find key information, the report is organized into the following sections:

  • Executive Summary
  • Detailed Findings

Executive Summary

The Executive Summary lists the pass or fail status for each FISMA requirement that Metasploit Pro tests.

Detailed Findings

The Detailed Findings section provides the technical details for each FISMA requirement that Metasploit Pro reports on. The FISMA Compliance report will list each host that did not meet the criteria defined for each requirement.

FISMA Requirement AC-7

FISMA Requirement AC-7 mandates an enforced limit on the number of invalid login attempts made by a user. This requirement dictates that this rate be set by each organization based on their security policy. However, for the purposes of this report, a host will fail this requirement if it has more than 3 failed logins within 60 seconds for a particular public. This rate is considered a reasonable default.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host on which the login attempts were made
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for each credential that resulted in more than 3 failed logins within 60 seconds of each other

FISMA Requirement AT-2

FISMA Requirement AT-2 mandates that security awareness training is provided to system users. The contents of the training program should be developed by the organization based on its needs and requirements. A host will fail this requirement if it has a vulnerability that was successfully exploited.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The vulnerability that was discovered, the module that was used to exploit the vulnerability, and the timestamp for when the exploit occurred

FISMA Requirement CM-7

FISMA Requirement CM-7 mandates that each host should have one primary function. A host will fail this requirement if it is running more than one major service, such as HTTP, HTTPS, DNS, FTP, MySQL, Postgres, DB2, and MSSQL. However, an exception to this requirement occurs when a host is running both HTTP and HTTPS. Since both services are often exposed together to support an application, they are allowed to run on the same host.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The major services running on the host

FISMA Requirement IA-2

FISMA Requirement IA-2 mandates that the host uniquely identifies and authenticates users. A host will fail this requirement it allowed a valid login using a common username, such as user, root, administrator, admin, tomcat, cisco, manager, sa, postgres, or guest. A host will also fail this requirement if a blank password was used to successfully authenticate to a service.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host on which the login was made
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credentials used

FISMA Requirement IA-5

FISMA Requirement IA-5 mandates that system authenticators, such as passwords and tokens, are properly created, distributed, and managed. This requirement ensures that authenticators are not shipped with default authentication credentials and enforce minimum password requirements. A host will fail this requirement if it allowed a valid login using a common username, such as user, root, administrator, admin, tomcat, cisco, manager, sa, postgres, or guest. A host will also fail this requirement if a blank password was used to successfully authenticate to a service.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host on which the login was made
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credentials used

FISMA Requirement IA-7

FISMA Requirement IA-7 mandates that mechanisms for authentication use acceptable cryptographic methods. A host will fail this requirement if it has any of the following services open: telnet, shell, rexec, rlogin, or POP3. A host will also fail this requirement if it is a Cisco device that has an open HTTP service.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The major services running on the host

FISMA Requirement RA-5

FISMA Requirement RA-5 mandates that vulnerability scans are performed regularly. A host will fail this requirement if it has a vulnerability that was successfully exploited.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The vulnerability that was discovered, the module that was used to exploit the vulnerability, and the timestamp for when the exploit occurred

FISMA Requirement SI-2

FISMA Requirement SI-2 mandates that all systems that have security flaws must be reported. All known vulnerabilities must have the latest vendor security patches applied. A host will fail this requirement if it has a vulnerability that was successfully exploited.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The vulnerability that was discovered, the module that was used to exploit the vulnerability, and the timestamp for when the exploit occurred

FISMA Requirement SI-10

FISMA Requirement SI-10 mandates that the syntax and semantics of information system inputs match the specified definitions for format and content. A host will fail this requirement if it has a vulnerability that was successfully exploited.

For each host that failed this requirement, this section reports the following information:

  • The IP address and name of the host
  • The operating system running on the host
  • The vulnerability that was discovered, the module that was used to exploit the vulnerability, and the timestamp for when the exploit occurred

FISMA Compliance Report Options

Settings

Options

Output formats

PDF, HTML, WORD, RTF

Report options

Mask discovered credentials - Masks all credentials, including plain text passwords, hashes, and SSH keys, from the report. The FISMA Compliance Report will replace the password with *BLANK*.

Report sections

Executive Summary

Detailed Findings