Skip to content

Latest commit

 

History

History
209 lines (146 loc) · 7.31 KB

NIST_CONTROL_STATUS.md

File metadata and controls

209 lines (146 loc) · 7.31 KB

NIST 800-53 Control Status Reporting Guide

This guide explains the enhanced NIST 800-53 control status reporting feature of the Security Hub Compliance Analyzer, which directly retrieves and reports on control compliance status for more accurate cATO reporting.

Overview

The Security Hub Compliance Analyzer now offers two distinct approaches for NIST 800-53 reporting:

  1. Finding-based Reporting (Original): Reports based on active Security Hub findings that have failed
  2. Control Status Reporting (New): Reports based on actual control status in Security Hub

The new control status reporting provides a more comprehensive view of your NIST 800-53 compliance posture by:

  • Showing passed, failed, and not applicable controls
  • Calculating actual compliance percentages
  • Breaking down compliance by control family
  • Providing tailored cATO recommendations based on current status

How It Works

When you request a NIST 800-53 report, the analyzer:

  1. Searches for the NIST 800-53 standard in enabled Security Hub standards
  2. Retrieves all control details directly from the Security Hub API
  3. Organizes controls by family (AC, CM, IA, etc.)
  4. Calculates compliance percentages for each family and overall
  5. Generates a comprehensive report with control status visualizations

Email Report Features

The enhanced NIST 800-53 email report includes:

  • Overall Compliance Status: Shows percentage of controls passing
  • Control Family Breakdown: Table showing compliance by control family
  • Visual Progress Indicators: Visual representation of compliance status
  • cATO Readiness Assessment: Automatic assessment of current cATO phase
  • Tailored Recommendations: Action items based on current compliance status

Control Family Visualization

The report includes a detailed breakdown of compliance by NIST 800-53 control family:

  • Family Identification: Automatically detects control families like AC, CM, IA, etc.
  • Compliance Percentages: Shows what percentage of controls are passing in each family
  • Visual Indicators: Color-coded statuses (red, orange, yellow, green) for quick assessment
  • Progress Meters: Visual bars showing compliance level for each family
  • Sorting: Families are sorted with lowest compliance first to highlight areas needing attention

This visualization makes it easy to:

  1. Identify which control families are most problematic
  2. Track progress toward compliance by family
  3. Prioritize remediation efforts on specific control categories
  4. Demonstrate continuous improvement over time

cATO Implementation Phases

The report automatically determines your cATO implementation phase based on overall compliance percentage:

  1. Initial Phase (< 50% compliance)

    • Focus on establishing baseline controls
    • Emphasis on critical control families (AC, IA, SC)
    • Development of System Security Plan and POA&M
    • Setting up basic security monitoring

  2. Intermediate Phase (50-80% compliance)

    • Remediation of failed controls in priority order
    • Implementation of automated continuous monitoring
    • Evidence collection process documentation
    • Development of authorization packages

  3. Advanced Phase (> 80% compliance)

    • Complete automation of control assessments
    • Implementation of deviation detection
    • Established processes for maintaining cATO
    • Integration with agency risk management systems

The report provides tailored recommendations based on your detected phase to help guide your cATO journey.

Testing the Feature

Setting Up the Testing Environment

Before testing, you may need to set up a Python virtual environment:

# Create a new virtual environment
python3 -m venv nist_venv

# Activate the environment
source nist_venv/bin/activate

# Install dependencies
pip install -r debug_requirements.txt
pip install -e .  # Install the package in development mode

There are multiple ways to test this feature, depending on your needs:

Option 1: Using the Lambda function (Deployed Cloud Version)

If you have deployed the application to AWS:

# Set your email and AWS profile
export RECIPIENT_EMAIL="your-verified-email@example.com"
export AWS_PROFILE="your-aws-profile" # defaults to "sandbox" if not set

# Run the test script
./test_nist_direct_controls.sh

Option 2: Local Testing with Debug Output

For local testing and HTML inspection:

# First, activate the virtual environment
source nist_venv/bin/activate

# Generate the HTML report
./debug_email_output.py

# The HTML report will be saved as debug_email.html
# You can open this file in a web browser to preview it

# To send the email directly:
./send_debug_email.py --sender your-verified@email.com --recipient your-verified@email.com

Option 3: Direct Python Function Testing

For developers who want to test specific functions:

# First, activate the virtual environment
source nist_venv/bin/activate

# Run the test script for control status retrieval
./test_nist_control_functions.py --controls

# Run the test script for report generation
./test_nist_control_functions.py --report

# Run both tests
./test_nist_control_functions.py --all

Comparing the Two Approaches

Feature Finding-based Reporting Control Status Reporting
Focus Active failed findings All control statuses
Completeness Only shows problems Shows full compliance picture
cATO Accuracy Limited (based on findings) High (based on actual status)
Control Families Limited coverage Complete coverage
Compliance % Estimated Actual

Requirements and Limitations

  1. Security Hub Requirements:

    • Security Hub must be enabled in your AWS account
    • NIST 800-53 standard must be enabled
    • Controls must have had time to evaluate

  2. API Permissions:

    • AWS role requires securityhub:GetEnabledStandards and securityhub:DescribeStandardsControls permissions

  3. Limitations:

    • Control status may not be immediately available after enabling
    • Very large environments may have pagination considerations

Implementation Notes

The implementation retrieves control status directly from Security Hub using:

# Get list of enabled standards
standards_response = securityhub.get_enabled_standards()

# Find NIST 800-53 standard
for standard in standards_response.get("StandardsSubscriptions", []):
    if "nist" in standard.get("StandardsArn", "").lower() and "800-53" in standard.get("StandardsArn", ""):
        nist_standard = standard

# Get controls for the standard
controls_response = securityhub.describe_standards_controls(
    StandardsSubscriptionArn=nist_standard['StandardsSubscriptionArn']
)

Troubleshooting

If you encounter issues with the control status reporting:

  1. Verify NIST 800-53 is enabled in Security Hub
  2. Check IAM permissions for Security Hub APIs
  3. Verify that controls have had time to evaluate (can take 24+ hours initially)
  4. Run the analyzer in diagnostic mode to see detailed API responses

For detailed assistance, see our troubleshooting guide.

Future Enhancements

Planned enhancements for control status reporting include:

  1. Control-specific remediation guidance
  2. Trend analysis of control status over time
  3. Risk-based prioritization of failed controls
  4. Integration with POA&M automation tools