Consensus Audit Guidelines (CAG)

Identify the highest priority flaws to fix using CAG critical security controls to proactively collect, measure and validate your systems

What is CAG?

The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructure with a proactive cyber-security framework to prioritize critical IT security concerns. The CAG was developed by a consortium of Federal government agencies and private sector partners, including such notable members as the Department of Defense, Department of Energy, FBI and US-CERT, National Institute of Standards and Technology (NIST) and the SANS Institute. Designed to protect critical IT systems from real-world attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize critical IT security concerns as part of managing system design and operations rather than trying to manage security as an ad-hoc exercise on the side.

The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information and Communications Enhancement (ICE) Act. In the meantime, the consortium that developed the CAG is advising the use of the security controls CAG as a first step towards implementing the controls outlined in NIST’s SP 800-53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage standardization efforts like SCAP together with repositories of content like the National Vulnerability Database (NVD) enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities, mis-configurations and policy violations. This baseline data also helps auditors to perform the additional validation required to meet annual and quarterly compliance requirements.

Using CAG provides a simple first step towards becoming compliant with current FISMA regulations, with the added benefit of getting aligned with the provisions in the ICE Act. However, the most important benefit provided by the CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape.

Who needs the CAG?

The CAG was originally designed to meet the needs of information technology providers for Federal government agencies and departments. However, studies of the cyber security threats to North American critical infrastructure revealed that private sector entities interact with more than 85% of the critical infrastructure in the United States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended applying the same security guidelines to both public and private sector entities that utilize manage or run critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA.

How Rapid7 Helps

Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best practices to optimize their network security, Web application security and database security strategies. Rapid7 has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical Security Controls (CSC), also known as the SANS twenty Critical Security Controls.

Rapid7 can help your organization achieve CAG compliance because:

• NeXpose automates the task of asset discovery and identification by scanning the entire infrastructure for all networked devices, and enables administrators to build and manage an asset inventory by performing either manual or scheduled discovery scans. NeXpose also assembles an inventory of every system that has an IP address on the network, including databases, desktops, laptops, servers, subnets, network equipment (routers, switches, firewalls, etc.), printers, Storage Area Networks, and Voice-over-IP (VoIP) phones. (CSC-1)
• NeXpose catalogs all software as it scans, including any malicious software, by using the latest fingerprinting technologies to identify systems, services, and installed applications. NeXpose also sends alerts automatically to administrators for any deviations from the expected inventory of assets on the network. (CSC-2)
• NeXpose provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, Web applications, and databases including MS SQL Server, Oracle, MySQL, and DB2. (CSC-3)
• NeXpose provides scanning and reporting capabilities that meet or exceed the PCI Security Standards Council’s specifications for system security scanning. NeXpose scans assets and delivers detailed PCI audit reports using safe scan settings to generate a comprehensive report on all network-based vulnerabilities, in addition to performing patch verification, application-layer testing, and port scanning.(CSC-4)
• NeXpose provides customizable, prioritized risk scoring to customize severity levels and provide more accurate remediation reporting suited for your environment. (CSC-10)
• NeXpose Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. (CSC-13)

With Rapid7 NeXpose, our Professional Services staff can perform these additional services to meet CSC-17:

• Rapid7 Penetration Testing Services provide the option of using our hosted Rapid7 Managed Services option in order to evaluate your security controls, perform internal and external testing, perform social engineering, identify gaps in your security program, and provide an actionable remediation plan.
• Rapid7 Security Experts will determine if security policies are being followed in actual day-to-day operations and provide guidance on developing missing control policies and procedures required to secure information systems and data from external threats.

To learn more about how NeXpose capabilities meet the requirements to comply with the CAG, refer to the Rapid7 CAG Compliance Guide.

Contact us to find out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your on-going, prioritized, unified security management program