Wednesday, October 10, 2012

SAPpy - Annual 800-53 CM Control Testing Selection Automated

Code: <-- With Include Files


I have been working for some time with the NIST / FISMA process and always wanted to automate what controls needed to be tested given your working on a 3 year cycle but actually using the concepts of Continuous Monitoring (CM).

Way to much time is spent on the process of a Security Assessment Plan (SAP) in picking what controls need to be tested.
Additionally, people never seem to be sure what to select and if everything over the 3 year cycle has been addressed.

Its worth a note to say that the 3 year cycle is a dated concept but most Federal agencies are accrediting networks for 3 years still at this point, even if now due to CM, it is suppose to be a continuous process.

The end result of this is everything needs to be accounted for in the baseline at some time in the 3yr accreditation time frame and if your accreditation is shorter simply account for that by leaving the prior year files blank for the associated year not counted in the process.
(i.e. if you have a 2 year accreditation do not fill out the 2 + year ago data in Yr1.txt)

SAPpy simplifies that, though rather crudely, making sure every control is accounted for in the cycle and the additional requirements are also accounted for like major changes, POA&Ms, FIPS 200 updates, etc.

Simply fill in the associated text files with the following data;
  • Baseline.txt - All Controls from NIST in the Low, Moderate or High Baseline. * Do not adjust for FIPS 200 at this point *
  • req.txt - All of the control with annual testing requirements for the system.
  • FIPS200.txt - List all of the controls tailored out of the Baseline in the FIPS 200
  • POAM.txt - List all the controls with closed POA&Ms in the last 12 mo. *This may not be necessary if you audit during POA&M closure.
  • MajorChange.txt - List any controls that have had a major change. (i.e. moved buildings add in PE controls, etc)
  • Yr1.txt - List all of the controls tested in the SCA from 2 Years Ago
  • Yr2.txt - List all of the controls tested in the SCA from 1 Year Ago
Then run the following command;

java SAPpy

At this point SAPpy will take over sort everything out and STDOUT your set of controls that need to be tested for the year based on your baseline for the system.

Simple as that!

As always if you see issues with this code, or are seeing this process implemented with different interpretations you may need to adjust the code.

cheers and happy testing



  1. Replies
    1. I will work on getting something up, right now it just pushes txt to stdout