CoreOS 4.x - Security Assessment and Authorization

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
CA-1 Security Assessment And Authorization Policy And Procedures

not applicable

CA-2 Security Assessments

not applicable

CA-2 (1) Independent Assessors

not applicable

CA-2 (2) Specialized Assessments

not applicable

CA-2 (3) External Organizations
CA-3 System Interconnections

not applicable

CA-3 (1) Unclassified National Security System Connections

not applicable

CA-3 (2) Classified National Security System Connections

not applicable

CA-3 (3) Unclassified Non-National Security System Connections

not applicable

CA-3 (4) Connections To Public Networks

not applicable

CA-3 (5) Restrictions On External System Connections

planned

CA-4 Security Certification

not applicable

CA-5 Plan Of Action And Milestones

planned

CA-5 (1) Automation Support For Accuracy / Currency

not applicable

CA-6 Security Authorization

not applicable

CA-7 Continuous Monitoring

planned

CA-7 (1) Independent Assessment

not applicable

CA-7 (2) Types Of Assessments

not applicable

CA-7 (3) Trend Analyses

not applicable

CA-8 Penetration Testing

not applicable

CA-8 (1) Independent Penetration Agent Or Team

not applicable

CA-8 (2) Red Team Exercises

not applicable

CA-9 Internal System Connections

planned

CA-9 (1) Security Compliance Checks

planned




CA-1: Security Assessment And Authorization Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

CA-1 Control Response Information
Implementation Status:

not applicable

CA-1: What is the solution and how is it implemented?

Establishing organizational security assessment and authorization policy and procedures is outside the scope of CoreOS configuration guidance.




CA-2: Security Assessments

The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

CA-2 Control Response Information
Implementation Status:

not applicable

CA-2: What is the solution and how is it implemented?

Development of an organizational security assessment plan is outside the scope of CoreOS configuration guidance.

As supplemental comments, the NIST National Checklist for CoreOS is recommended as the source of configuration guidance for US Government deployments. NIST National Checklists applicable to Red Hat technologies can be found on nist.gov:

https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0

The NIST National Checklist for CoreOS provides SCAP-formatted automation content which could be used in satisfaction of CA-2(b), and is interoperable with any NIST SCAP Validated Product and Module.

Additionally, SCAP scanners will generate a compliance report which could be used to satisfy CA-2(c).




CA-2 (1): Independent Assessors

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.”

CA-2 (1) Control Response Information
Implementation Status:

not applicable

CA-2 (1): What is the solution and how is it implemented?

Employment of independent assessors or assessment teams is outside the scope of CoreOS configuration guidance.




CA-2 (2): Specialized Assessments

“The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].”

CA-2 (2) Control Response Information
Implementation Status:

not applicable

CA-2 (2): What is the solution and how is it implemented?

Specialized security assessments are outside the scope of CoreOS configuration guidance.




CA-2 (3): External Organizations

“The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].”

CA-2 (3) Control Response Information
Implementation Status:
CA-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of CoreOs 4.x.



CA-3: System Interconnections

The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

CA-3 Control Response Information
Implementation Status:

not applicable

CA-3: What is the solution and how is it implemented?

Establishment of organizational system interconnection agreements is outside the scope of CoreOS configuration guidance.




CA-3 (1): Unclassified National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (1) Control Response Information
Implementation Status:

not applicable

CA-3 (1): What is the solution and how is it implemented?

This is an organizational control outside the scope of CoreOS configuration guidance.




CA-3 (2): Classified National Security System Connections

“The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (2) Control Response Information
Implementation Status:

not applicable

CA-3 (2): What is the solution and how is it implemented?

This is an organizational control outside the scope of CoreOS configuration guidance.




CA-3 (3): Unclassified Non-National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].”

CA-3 (3) Control Response Information
Implementation Status:

not applicable

CA-3 (3): What is the solution and how is it implemented?

This is an organizational control outside the scope of CoreOS configuration guidance.




CA-3 (4): Connections To Public Networks

“The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.”

CA-3 (4) Control Response Information
Implementation Status:

not applicable

CA-3 (4): What is the solution and how is it implemented?

This is an organizational control outside the scope of CoreOS configuration guidance.




CA-3 (5): Restrictions On External System Connections

“The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.”

CA-3 (5) Control Response Information
Implementation Status:

planned

CA-3 (5): What is the solution and how is it implemented?

This control is applicable to CoreOS and applicable through host-level firewall rules.

Creation of configuration guidance is being tracked in the ComplianceAsCode backlog:

https://github.com/ComplianceAsCode/redhat/issues/729




CA-4: Security Certification

“[Withdrawn: Incorporated into CA-2].”

CA-4 Control Response Information
Implementation Status:

not applicable

CA-4: What is the solution and how is it implemented?

This control was withdrawn by NIST.




CA-5: Plan Of Action And Milestones

The organization: a. Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-5 Control Response Information
Implementation Status:

planned

CA-5: What is the solution and how is it implemented?
CA-5(a):

Creating an information system-level Plan of Action and Milestones (POA&M) is outside the scope of CoreOS configuration processes.

However, to aid in remediating or mitigating any known weaknesses or deficiencies in CoreOS, Red Hat is planning to make public a POA&M specific to CoreOS. This is currently in progress. If you would like to monitor or collaborate in the creation of the CoreOS POA&M, the work is tracked in the following ticket:

https://github.com/ComplianceAsCode/redhat/issues/730

CA-5(b):

Organizational processes relating to updating and the maintenance of an information system-level Plan of Action and Milestones (POA&M) is outside the scope of CoreOS configuration processes.




CA-5 (1): Automation Support For Accuracy / Currency

“The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.”

CA-5 (1) Control Response Information
Implementation Status:

not applicable

CA-5 (1): What is the solution and how is it implemented?

Updates and maintenance of an information system-level Plan of Action and Milestones (POA&M) document outside the scope of CoreOS configuration.




CA-6: Security Authorization

The organization: a. Assigns a senior-level executive or manager as the authorizing official for the information system; b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c. Updates the security authorization [Assignment: organization-defined frequency].

CA-6 Control Response Information
Implementation Status:

not applicable

CA-6: What is the solution and how is it implemented?

CA-6 reflects organizational processes outside the scope of CoreOS configuration guidance.




CA-7: Continuous Monitoring

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

CA-7 Control Response Information
Implementation Status:

planned

CA-7: What is the solution and how is it implemented?
CA-7(a):

Establishment of continuous monitoring metrics is outside the scope of CoreOS configuration guidance.

The CoreOS Prometheus Operator may assist in identification of all the parts required to start monitoring a Kubernetes cluster. For further details, visit the “Cluster Monitoring” section of the Prometheus documentation:

https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html

CA-7(b):

Establishment of organizationally-defined frequencies for monitoring assessments is outside the scope of CoreOS configuration guidance.

CA-7(c):

Red Hat is developing documentation regarding ongoing security control assessments of CoreOS. That work can be tracked in the following ticket:

https://github.com/ComplianceAsCode/redhat/issues/732




CA-7 (1): Independent Assessment

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.”

CA-7 (1) Control Response Information
Implementation Status:

not applicable

CA-7 (1): What is the solution and how is it implemented?

Employment of assessors or assessment teams is outside the scope of CoreOS configuration guidance.




CA-7 (2): Types Of Assessments

“[Withdrawn: Incorporated into CA-2].”

CA-7 (2) Control Response Information
Implementation Status:

not applicable

CA-7 (2): What is the solution and how is it implemented?

This control was withdrawn by NIST.




CA-7 (3): Trend Analyses

“The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.”

CA-7 (3) Control Response Information
Implementation Status:

not applicable

CA-7 (3): What is the solution and how is it implemented?

Organizational trend analyses processes are outside the scope of CoreOS configuration guidance.




CA-8: Penetration Testing

“The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].”

CA-8 Control Response Information
Implementation Status:

not applicable

CA-8: What is the solution and how is it implemented?

Penetration testing is outside the scope of CoreOS configuration guidance.




CA-8 (1): Independent Penetration Agent Or Team

“The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.”

CA-8 (1) Control Response Information
Implementation Status: