The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.
2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
What is the CAG?
The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government
infrastructures with a proactive cyber-security framework to prioritize critical IT security
concerns. The CAG was developed by a consortium of Federal government agencies and
private sector partners, including such notable members as the Department of Defense,
Department of Energy, FBI and US-CERT, National Institute of Standards and Technology
(NIST) and the SANS Institute. Designed to protect critical IT systems from real-world
attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the
Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize
critical IT security concerns as part of managing system design and operations rather than trying to manage security
as an ad-hoc exercise on the side.
The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined
in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information
and Communications Enhancement (ICE) Act. In the meantime, the consortium that developed the CAG is advising
the use of the security controls CAG as a first step towards implementing the controls outlined in NIST’s SP 800-
53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage
standardization efforts like SCAP together with repositories of content like the National Vulnerability Database
(NVD), enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities,
mis-configurations and policy violations. This baseline data also helps auditors to perform the additional validation
required to meet annual and quarterly compliance requirements.
Using CAG provides a simple first step towards becoming compliant with current FISMA regulations, with the added
benefit of getting aligned with the provisions in the ICE Act. However, the most important benefit provided by the
CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The
real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for
making security best practices an integral part of system design and operation so that Federal agencies can ensure
their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex
threat landscape.
Who needs the CAG?
The CAG was originally designed to meet the needs of information technology providers for Federal government
agencies and departments. However, studies of the cyber security threats to North American critical infrastructure
revealed that private sector entities interact with more than 85% of the critical infrastructure in the United
States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended
applying the same security guidelines to both public and private sector entities that utilize, manage, or run
critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations
in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily
supplement and enhance the security requirements already needed to comply with regulations in these industries,
including FISMA, NERC, PCI, GLBA and HIPAA.
How Rapid7 Helps
Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best
practices to optimize their network security, Web application security and database security strategies. Rapid7
has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of
3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National
Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements.
Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical
Security Controls (CSC), also known as the SANS twenty Critical Security Controls. To meet CAG compliance,
organizations must demonstrate adherence to the twenty CSCs as outlined below.
Controls suited for automation
Fifteen CSC categories are suited for automated collection, measurement and validation. Rapid7 Nexpose
proactively automates the process of monitoring, measuring, validating, and prioritizing security threats for these
CSC as follows:
Control Rapid7 Solution
CSC-1
Inventory of Authorized
and Unauthorized
Devices
Enables administrators to build and manage an asset inventory by performing either
manual or scheduled discovery scans.
Automates the task of asset discovery and identification by scanning the entire
infrastructure for all networked devices.
Assembles an inventory of every system that has an IP address on the network,
including databases, desktops, laptops, servers, subnets, network equipment
(routers, switches, firewalls, etc.), printers, Storage Area Networks, and Voice-over-
IP (VoIP) phones.
Enables administrators to configure asset scanning and reporting using sites and
asset groups based on specific criteria such as device type, software type, operating
system type, or geographic location.
Provides fully customizable policy scanning to determine presence of unauthorized
devices in accordance with policies for whitelisting authorized devices and
blacklisting unauthorized devices.
Catalogs all devices in Nexpose as it scans and automatically sends alerts to
administrators about any deviations from the expected inventory of assets on the
network.
4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Control Rapid7 Solution
CSC-2
Inventory of Authorized
and Unauthorized
Software
Automates the task of asset discovery and identification by scanning and assembling
an inventory of software on all networked devices in every system that has an IP
address on the network anywhere in the entire infrastructure including servers,
workstations and laptops.
Provides automation in tracking types of operating systems and applications
installed on each system, including versions and patch levels.
Provides fully customizable policy scanning to establish baseline configurations
to test the effectiveness of security measures, and determine presence of
unauthorized software and services in accordance with policies for whitelisting
authorized software and blacklisting unauthorized software.
Catalogs all software as it scans, including any malicious software, by using the
latest fingerprinting technologies to identify systems, services, and installed
applications.
Sends alerts automatically to administrators for any deviations from the expected
inventory of assets on the network.
CSC-3
Secure Configurations
for Hardware and
Software on Laptops,
Workstations, and
Servers
Provides the ability to establish baseline configurations to validate the effectiveness
of security policies in both test environments and production environments
against the baseline condition by checking for presence of unauthorized devices
in accordance with policies for whitelisting authorized devices and blacklisting
unauthorized devices.
Provides fully customizable Nexpose scanning templates to allow for policy scanning
for Windows, Oracle and IBM systems.
Provides flexible, customizable policy scanning to detect misconfigurations,
identify missing patches against mitigating control policies, and apply risk scoring
to measure violations against established desktop and server configuration
management policies on servers, workstations, laptops, handheld devices, multiple
classes of Web applications, and database applications including MS SQL Server,
Oracle, MySQL, and DB2.
Enables administrators to validate and report on adherence to configuration
policies within the asset inventory by performing either manual or scheduled policy
configuration scans.
5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Control Rapid7 Solution
CSC-4
Secure Configurations for
Network Devices such as
Firewalls, Routers, and
Switches
Provides fully customizable policy scanning to detect misconfigurations, locate
unnecessary services, find default accounts, identify missing patches against
mitigating control policies, and apply risk scoring to measure violations against
established configuration management policies for network devices, including
firewalls, routers and switches.
Provides fully customizable Nexpose scanning templates to allow for policy scanning
in order to validate Windows firewall settings.
Provides the ability to establish baseline configurations to validate the effectiveness
of security policies in both test environments and production environments against
the baseline condition by checking for presence of unauthorized network device
configuration in accordance with policies for firewall rules, router access control
lists, and IDS/IPS detection.
CSC-5
Boundary Defense
Provides fully customizable policy compliance framework to setup automated
monitoring of port access policies.
Provides fully customizable risk scoring, policy auditing, and vulnerability scanning
to alert you of policy violations or misconfigurations, including validation of up-to-
date firewalls, and IDS/IPS system patches.
Includes option to use either a hosted scan engine through Rapid7’s Managed PCI
Compliance Services, or your own external distributed scan engine outside your DMZ
to perform external perimeter vulnerability scanning.
CSC-6
Maintenance,
Monitoring, and Analysis
of Security Audit Logs
Provides fully customizable policy compliance framework to setup automated
monitoring of security audit log policies.
6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Control Rapid7 Solution
CSC-7
Application Software
Security
Provides ability to perform on-going scheduled and ad-hoc scanning of Web
applications for XSS and SQL injection. Enables Web form scanning using form-
based authentication.
Provides the ability to establish baseline configurations to validate the effectiveness
of security policies after Web application changes in both test environments and
production environments against the baseline condition by checking for security
violations in Web applications, as well as in underlying database servers, including
MS SQL Server, Oracle, MySQL, and DB2.
Provides comprehensive unified vulnerability scanning of all vital systems to
evaluate potential risks to operating systems, Web applications, databases,
enterprise applications, and custom applications.
Provides fully customizable policy compliance framework to setup automated
monitoring of software policy settings, including Web browser patching levels, and
configuration settings for Web applications, including their underlying database
servers.
Provides fully customizable risk scoring, policy auditing, and vulnerability scanning
to alert you of policy violations or misconfigurations.
CSC-8
Controlled Use of
Administrative Privileges
Provides ability to segregate administrative privileges using role based access
control to limit vulnerability information to appropriate parties.
Provides access to Rapid7 Risk Assessment Services to identify gaps in your security
program, determine if security policies are being followed in actual day-to-day
operations (i.e. policies for maintaining least privilege, segregation of duties, and
patching on databases containing private data), and provide guidance on developing
missing control policies and procedures required to secure private data from
external threats.
CSC-9
Controlled Access Based
on Need to Know
Provides ability to test servers to ensure access policies they are configured with
the proper level of access control, including separation of duties for default and
new accounts and configurations of servers to ensure they have been locked down
to a least level of privilege.
7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Control Rapid7 Solution
CSC-10
Continuous Vulnerability
Assessment and
Remediation
Provides ad-hoc scans of newly introduced vulnerabilities so that you can
immediately:
o Scan for new vulnerabilities
o View a report of all vulnerabilities found
o View a records of new vulnerabilities added
Provides the ability to define scan frequency , including the option to use
randomized scanning, and high-speed parallel scanning (2-4 times faster than
competitors), which enhances security by providing capacity for more frequent
scans so your security team always has access to the most current data.
Enables authenticated scanning in applications as well as in Web forms.
Provides flexible, customizable policy scanning to detect misconfigurations, identify
missing patches against mitigating controls or compensating control policies, and
apply risk scoring to measure violations to establish trends against established
baselines for all networked devices and software.
Provides customizable policy scanning to establish baseline configurations, test
effectiveness of security measures, and provide both executive and detailed analyst
reports. The findings will include what authorized and unauthorized devices were
discovered based on Nexpose templates configured to identify whitelist (authorized)
and blacklist (unauthorized) devices.
Provides customizable, prioritized risk scoring to customize severity levels for more
accurate remediation reporting suited for your environment.
Enables an easy integration of vulnerability and compliance management into
existing business processes and IT systems such as GRC solutions like Archer, help
desk, asset management and other security solutions via pre-built integrations and
Rapid7’s Nexpose API.
CSC-11
Account Monitoring and
Control
Enforces password policies through regular scheduled scanning and reporting. Uses
our customized policy compliance framework to setup automated monitoring of
passwords policies (including number of login attempts, password length, allowable
special characters etc.).
Provides monitoring software installation policies, and reports on illegal software
installed on users’ system.
8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Control Rapid7 Solution
CSC-12
Malware Defenses
Catalogs all software as it scans, including any malicious software.
CSC-13
Limitation and Control
of Network Ports,
Protocols, and Services
Provides fully customizable policy scanning to monitor policy violations or
misconfigurations of network ports, protocols, and services.
CSC-14
Wireless Device Control
Provides fully customizable policy scanning to monitor policy violations or
misconfigurations of network ports, protocols, and services.
Provides access to Rapid7 Wireless Audit Consulting Services to evaluate your
wireless security controls on all wireless access points, identify gaps in your
security program, determine if security policies are being followed in actual day-
to-day operations, and provide guidance on developing missing control policies and
procedures required to secure private data from unauthorized access.
CSC-15
Data Loss Prevention
Provides HIPAA scan template which detects PII data, or Social Security numbers,
on Web pages for better patient privacy in medical institutions. To further enhance
the HIPAA audit, the scan template can be configured to allow file searching so
that if Nexpose gains access to an asset’s file system in the scanning process, it can
search for, and retrieve, files in that system. For example medical offices cannot
store patient data on local drives due to HIPAA regulations, so file searching can be
useful for that purpose.
Provides ability to configure custom scan templates to search for specific data
pattern in Web applications that indicate presence of PII that would lead to security
violations.
Provides automated mechanisms that increase the availability of incident response
related information by providing details on potential vulnerabilities that were
exploited, as well as remediation steps to prevent future exploits
Provides continuous logging of historical scan data for use in disaster recovery and
auditing.
Provides access to Rapid7 Risk Assessment Services to provide guidance on
development of incident management and disaster recovery program best practices
for protecting personal information by evaluating security controls for modification
of access rights, and providing guidance on developing missing control policies.
9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Controls not directly supported by automation
Five CSC categories are not directly supported by automation. Rapid7’s Consulting Services has security experts to
assist you in measuring and validating these CSC categories as follows:
Control Rapid7 Solution
CSC-16
Secure Network
Engineering
Provides access to Rapid7 Risk Assessment Services to evaluate your security controls,
identify gaps in your security program, and provide guidance on incorporating secure
network engineering best practices.
CSC-17
Penetration Tests and
Red Team Exercises
Provides access to Rapid7 Penetration Testing Services to evaluate your security
controls, perform internal and external testing, perform social engineering, identify
gaps in your security program, and provide an actionable remediation plan.
Provides access to Rapid7 Security Experts to determine if security policies are
being followed in actual day-to-day operations, and provides guidance on developing
missing control policies and procedures required to secure information systems and
data from external threats.
CSC-18
Incident Response
Capability
Provides automated end-to-end security solution to automatically document all
security incidents and subsequent effects of vulnerability remediation to establish
historical audit log record, including fully configurable automated notifications and
ticketing system for customizable case escalation, ticket creation, and notification,
including ability to integrate with third-party ticketing systems.
Provides access to Rapid7 Security Experts to determine if security policies are
being followed in actual day-to-day operations, and provides guidance on developing
missing control policies and procedures required to secure information systems and
data from external threats.
CSC-19
Data Recovery Capability
Provides access to Rapid7 Risk Assessment Services to evaluate if data recovery
capabilities have been adequately embedded into security controls, and identify gaps
in your security program.
CSC-20
Security Skills
Assessment and
Appropriate Training to
Fill Gaps
Provides access to Rapid7 Risk Assessment Services to determine need for holistic
vulnerability management security training by evaluating security awareness during
penetration testing and social engineering exercises, followed by recommendations
for security awareness training required as part of an integrated security
management program.
Contact us to find out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your
on-going, prioritized, unified security management program.
To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.