Red Hat Virtualization Host - Security Assessment and Authorization

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
CA-1 Security Assessment And Authorization Policy And Procedures

not applicable

CA-2 Security Assessments

not applicable

CA-2 (1) Independent Assessors

not applicable

CA-2 (2) Specialized Assessments
CA-2 (3) External Organizations
CA-3 System Interconnections

complete

CA-3 (1) Unclassified National Security System Connections
CA-3 (2) Classified National Security System Connections
CA-3 (3) Unclassified Non-National Security System Connections
CA-3 (4) Connections To Public Networks
CA-3 (5) Restrictions On External System Connections
CA-4 Security Certification
CA-5 Plan Of Action And Milestones

not applicable

CA-5 (1) Automation Support For Accuracy / Currency
CA-6 Security Authorization

not applicable

CA-7 Continuous Monitoring

not applicable

CA-7 (1) Independent Assessment
CA-7 (2) Types Of Assessments
CA-7 (3) Trend Analyses
CA-8 Penetration Testing
CA-8 (1) Independent Penetration Agent Or Team
CA-8 (2) Red Team Exercises
CA-9 Internal System Connections

complete

CA-9 (1) Security Compliance Checks



CA-1: Security Assessment And Authorization Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

CA-1 Control Response Information
Implementation Status:

not applicable

CA-1: What is the solution and how is it implemented?
CA-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-2: Security Assessments

The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

CA-2 Control Response Information
Implementation Status:

not applicable

CA-2: What is the solution and how is it implemented?
CA-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-2 (1): Independent Assessors

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.”

CA-2 (1) Control Response Information
Implementation Status:

not applicable

CA-2 (1): What is the solution and how is it implemented?

This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).




CA-2 (2): Specialized Assessments

“The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].”

CA-2 (2) Control Response Information
Implementation Status:
CA-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-2 (3): External Organizations

“The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].”

CA-2 (3) Control Response Information
Implementation Status:
CA-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-3: System Interconnections

The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

CA-3 Control Response Information
Implementation Status:

complete

CA-3: What is the solution and how is it implemented?
CA-3(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-3(b):

‘Red Hat Enterprise Linux hosts and Red Hat Virtualization Hosts (RHVH) require a number of ports to be opened to allow network traffic through the system firewall. The firewall rules are automatically configured by default when adding a new host to the Manager, overwriting any pre-existing firewall configuration.

Documentation on RHVH interconnections is available in the Red Hat Virtualization Installation Guide available at:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/’

CA-3(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-3 (1): Unclassified National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (1) Control Response Information
Implementation Status:
CA-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-3 (2): Classified National Security System Connections

“The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].”

CA-3 (2) Control Response Information
Implementation Status:
CA-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-3 (3): Unclassified Non-National Security System Connections

“The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].”

CA-3 (3) Control Response Information
Implementation Status:
CA-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-3 (4): Connections To Public Networks

“The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.”

CA-3 (4) Control Response Information
Implementation Status:
CA-3 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-3 (5): Restrictions On External System Connections

“The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.”

CA-3 (5) Control Response Information
Implementation Status:
CA-3 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-4: Security Certification

“[Withdrawn: Incorporated into CA-2].”

CA-4 Control Response Information
Implementation Status:
CA-4: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-5: Plan Of Action And Milestones

The organization: a. Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-5 Control Response Information
Implementation Status:

not applicable

CA-5: What is the solution and how is it implemented?
CA-5(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-5(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-5 (1): Automation Support For Accuracy / Currency

“The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.”

CA-5 (1) Control Response Information
Implementation Status:
CA-5 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-6: Security Authorization

The organization: a. Assigns a senior-level executive or manager as the authorizing official for the information system; b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c. Updates the security authorization [Assignment: organization-defined frequency].

CA-6 Control Response Information
Implementation Status:

not applicable

CA-6: What is the solution and how is it implemented?
CA-6(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-6(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-6(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-7: Continuous Monitoring

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

CA-7 Control Response Information
Implementation Status:

not applicable

CA-7: What is the solution and how is it implemented?
CA-7(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CA-7(g):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CA-7 (1): Independent Assessment

“The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.”

CA-7 (1) Control Response Information
Implementation Status:
CA-7 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-7 (2): Types Of Assessments

“[Withdrawn: Incorporated into CA-2].”

CA-7 (2) Control Response Information
Implementation Status:
CA-7 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-7 (3): Trend Analyses

“The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.”

CA-7 (3) Control Response Information
Implementation Status:
CA-7 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-8: Penetration Testing

“The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].”

CA-8 Control Response Information
Implementation Status:
CA-8: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-8 (1): Independent Penetration Agent Or Team

“The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.”

CA-8 (1) Control Response Information
Implementation Status:
CA-8 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-8 (2): Red Team Exercises

“The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].”

CA-8 (2) Control Response Information
Implementation Status:
CA-8 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CA-9: Internal System Connections

The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

CA-9 Control Response Information
Implementation Status:

complete

CA-9: What is the solution and how is it implemented?
CA-9(a):

‘Red Hat Enterprise Linux hosts and Red Hat Virtualization Hosts (RHVH) require a number of ports to be opened to allow network traffic through the system firewall. The firewall rules are automatically configured by default when adding a new host to the Manager, overwriting any pre-existing firewall configuration.

Documentation on RHVH interconnections is available in the Red Hat Virtualization Installation Guide available at:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/’

CA-9(b):

‘Red Hat Enterprise Linux hosts and Red Hat Virtualization Hosts (RHVH) require a number of ports to be opened to allow network traffic through the system firewall. The firewall rules are automatically configured by default when adding a new host to the Manager, overwriting any pre-existing firewall configuration.

Documentation on RHVH interconnections is available in the Red Hat Virtualization Installation Guide available at:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/’




CA-9 (1): Security Compliance Checks

“The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.”

CA-9 (1) Control Response Information
Implementation Status:
CA-9 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.