BugZero aligns with the NIST Risk Management Framework at Level 3

Providing Continuous Compliance for the Confidentiality, Integrity, and Availability of our customer's systems and applications

APPLICABLE NIST 800-53 CONTROLS

NIST Controls Directly Supported By BugZero

SI-2

Flaw Remediation

SI-2(2)

Automated Flaw Remediation Status

SI-2(3)

Time to Remediate Flaws and Benchmarks for Corrective Actions

SI-7

Software, Firmware, and Information Integrity

SI-7(1)

Integrity Checks

SI-7(2)

Automated Notifications of Integrity Violations

SI-7(3)

Centrally Managed Integrity Tools

NIST Controls Indirectly Supported By BugZero

CM-2

Baseline Configuration

CM-2(2)

Automation Support for Accuracy and Concurrency

CM-3

Configuration Change Control

CM-3(5)

Automated Security Response

PL-9

Central Management

SI-13

Predictable Failure Prevention

FLAW REMEDIATION

BugZero Features Supporting SI-2: BugZero reads select CMDB data from ServiceNow to determine your IT inventory. Whenever a new operational defect is announced by a vendor, BugZero creates a task to track the flaw remediation.

SI-2

Flaw Remediation

Identify, report, and correct system flaws

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation

Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates

Incorporate flaw remediation into the organizational configuration management process

SI-2(2)

Flaw Remediation | Automated Flaw Remediation Status

Determine if system components have applicable security relevant software and firmware updates installed using automated mechanisms with a defined frequency

SI-2(3)

Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

Measure the time between flaw identification and flaw remediation

Establish benchmarks for taking corrective actions

SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

BugZero Features Supporting SI-7: The presence of an operational defect in your software or systems constitutes an integrity violation. BugZero is a centrally managed solution which provides for the continuous monitoring and notification of software and system integrity violations.

SI-7

Software, Firmware, and Information Integrity

Employ integrity verification tools to detect unauthorized changes to software, firmware, and information.

Take actions when unauthorized changes to the software, firmware, and information are detected.

SI-7(1)

Software, Firmware, and Information Integrity | Integrity Checks

Perform an integrity check of organization-defined software, firmware, and information at startup; during transitional states, during security-relevant events, or at a set frequency.

SI-7(2)

Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.

SI-7(3)

Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools

Employ centrally managed integrity verification tools.

BASELINE CONFIGURATION

BugZero Features Supporting CM-2: Baseline Configuration means the state of a system that is known to be stable and free from defects. Anytime a defect is identified in a system, it is no longer in a known good state. BugZero automates the process of maintaining a known good system configuration.

CM-2

Baseline Configuration

Develop, document, and maintain under configuration control, a current baseline configuration of the system

Review and update the baseline configuration of the system when required; at a defined frequency, due to organization-defined circumstances, or when system components are installed or upgraded.

CM-2(2)

Baseline Configuration | Automation Support for Accuracy and Currency

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using organization-defined automated mechanisms.

CONFIGURATION CHANGE CONTROL

BugZero Features Supporting CM-3: BugZero integrates with ServiceNow Change Management best practices, and uses Contextual Search to bring risk awareness to the Change Management process to further reduce outages. BugZero also collects critical alerts from the vendor related to mis-configuration risks.

CM-3

Configuration Change Control

Determine and document the types of changes to the system that are configuration-controlled.

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses.

Document configuration change decisions associated with the system.

Implement approved configuration -controlled changes to the system.

Retain records of configuration-controlled changes to the system for organization-defined time period.

Monitor and review activities associated with configuration-controlled changes to the system.

Coordinate and provide oversight for configuration change control activities through organization-defined configuration change control frequency or change conditions.

CM-3(5)

Configuration Change Control | Automated Security Response

Implement security responses automatically if baseline configurations are changed in an unauthorized manner

CENTRAL MANAGEMENT

BugZero Features Supporting PL-9: BugZero adds centralized management of the operational defects in your software and systems to your ITSM and ITOM processes.

PL-9

Central Management

Centrally manage organization-defined controls and related processes.

Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources.

Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring. Automated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.

As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.

PREDICTABLE FAILURE PREVENTION

BugZero Features Supporting SI-13: MTTF is usually associated with hardware, and especially spinning hard drives. As the industry is moving toward software defined systems, BugZero re-interprets this control to apply to software reliability, providing a continuously variable MTTF measurement for every system.

When there is a critical defect present in your systems, that defect will eventually cause a negative impact. It could take 100 years, or it could take 100 days, there is really no way to know for sure. Your systems and software admins must analyze each critical defect to provide an urgency, which is ultimately a measurement of the MTTF risk. If your systems have only warning-level defects present, then you have a very long MTTF. If your systems have a catastrophic defect, and your admins determine it does apply to your system configuration, you have a very short MTTF for that system.

SI-13

Predictable Failure Prevention

Determine mean time to failure (MTTF) for organization-defined system components in specific environments of operation.

Provide substitute system components and a means to exchange active and standby components in accordance with the organization-defined MTTF substitution criteria.