Search

GlobalSCAPE Knowledge Base

EFT Server FISMA and FedRAMP Compliance

4 Years Ago
Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

EFT v7.4.x and later

DISCUSSION

Summary

Although and FISMA and FedRAMP are separate initiatives, with the former initially focused on on-premises governmental systems, and the latter focused on cloud-based deployments, they are both closely tied to NIST Special Publication (SP) 800-53A revision 4 controls. These controls can be leveraged by organizations seeking compliance with either standard, for planned or implemented software ecosystems that fall within the scope of these standards; however, because these ecosystems are largely comprised of a number of third party enterprise software applications and middleware, it is incumbent on the organization seeking compliance to ensure that the third-party software solutions being deployed will facilitate, rather than detract from, their compliance efforts.

Mapping Table

NIST SP 800-53A Security Controls

NIST 800-171

Globalscape Solution Mapping

No.

Control

CUI No.

EFT

AC-1

ACCESS CONTROL POLICY AND PROCEDURES

Customer Responsibility (CR) and/or Inherited Controls (IC)

AC-2

ACCOUNT MANAGEMENT

3.1.1,3.1.2

EFT provides a comprehensive set of built-in account management controls, including flexible authentication manager (directory) services and permissions (authorization) systems.

AC-3

ACCESS ENFORCEMENT

3.1.1,3.1.2

EFT provides numerous mechanisms for controlling and enforcing access.

AC-4

INFORMATION FLOW ENFORCEMENT

3.1.3

EFT provides a hierarchal permissions management system similar to how Active Directory permissions works.

AC-5

SEPARATION OF DUTIES

3.1.4

EFT separates (logically and functionality) administrator from end user (consumer) permissions.

AC-6

LEAST PRIVILEGE

3.1.5, 3.1.6, 3.1.7

While mainly the responsibility of the customer, EFT provides mechanisms to limit what authorized administrators can do.

AC-8

SYSTEM USE NOTIFICATION

3.1.9

as web client is fully customizable (ToS, Privacy, etc.)

AC-17

REMOTE ACCESS

3.1.1,3.1.2

EFT provides a number of access controls for securing remote administrative access.

AC-18

WIRELESS ACCESS

3.1.16

See mobile access

AC-19

ACCESS CONTROL FOR MOBILE DEVICES

3.1.18

EFT provides access controls for mobile users (not administrators) that control security on the native mobile app and within EFT (via authorization and ACLs)

AC-20

USE OF EXTERNAL INFORMATION SYSTEMS

3.1.20

CR/IC

AT-1

SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

3.2.1-2

CR/IC

AT-2

SECURITY AWARENESS TRAINING

3.2.1, 3.2.2

CR/IC

AT-3

ROLE-BASED SECURITY TRAINING

3.2.1, 3.2.2

CR/IC

AU-1

AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

CR/IC

AU-2

AUDIT EVENTS

3.3.1, 3.3.2,3.3.3

EFT provides a complete audit and logging trail.

AU-3

CONTENT OF AUDIT RECORDS

3.3.1, 3.3.2

EFT captures all relevant metadata around transactional (end user) and administrative events.

AU-4

AUDIT STORAGE CAPACITY

  

CR/IC

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES

3.3.4

CR/IC

AU-6

AUDIT REVIEW, ANALYSIS, AND REPORTING

3.3.1, 3.3.2, 3.3.5

EFT offers a comprehensive set of reports as an optional component.

AU-8

TIME STAMPS

3.3.7

EFT audits timestamps. It is up to the customer to configure the operating system to sync with authoritative time sources.

AU-9

PROTECTION OF AUDIT INFORMATION

3.3.8, 3.3.9

CR/IC

AU-12

AUDIT GENERATION

3.3.1, 3.3.2

EFT offers all necessary controls to enable auditing, determine source of audit logs (database type), control over log level, etc.

CA-1

SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

  

CR/IC

CA-3

SYSTEM INTERCONNECTIONS

  

Although mainly determined by customer, EFT provides a robust integration framework (Event Rules engine) that facilitates integration with 3rd party systems.

CM-1

CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

  

CR/IC

CM-2

BASELINE CONFIGURATION

3.4.1, 3.4.2

CR/IC

CM-3

CONFIGURATION CHANGE CONTROL

3.4.3

CR/IC

CM-5

ACCESS RESTRICTIONS FOR CHANGE

3.1.5

EFT utilizes access controls to restrict access; however, it is the customer's responsibility to establish and documents usage restrictions, configuration/connection requirements, and implementation guidance

CM-6

CONFIGURATION SETTINGS

3.4.1, 3.4.2

CR/IC

CM-7

LEAST FUNCTIONALITY

3.4.6, 3.4.7,3.4.8

for administrators via granular admin roles with diminished privileges to end user authorization and controls.

CM-8

INFORMATION SYSTEM COMPONENT INVENTORY

3.4.1, 3.4.2

CR/IC

CM-9

CONFIGURATION MANAGEMENT PLAN

CR/IC

CM-11

USER-INSTALLED SOFTWARE

3.4.9

CR/IC

CP-1

CONTINGENCY PLANNING POLICY AND PROCEDURES

  

EFT provides the ability to configure high availability active-passive (N-1) or active-active clusters, back-up and restore configuration, and export of configuration settings for easy migration to DR site.

CP-2

CONTINGENCY PLAN

  

See CP1, but ultimately is the customer's responsibility.

CP-6

ALTERNATE STORAGE SITE

  

CR/IC

CP-7

ALTERNATE PROCESSING SITE

  

CR/IC

CP-8

TELECOMMUNICATIONS SERVICES

  

CR/IC

CP-9

INFORMATION SYSTEM BACKUP

  

CR/IC

CP-10

INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

  

CR/IC

IA-1

IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES

  

CR/IC

IA-2

IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

3.5.1-4

CR/IC

IA-3

DEVICE IDENTIFICATION AND AUTHENTICATION

 No map

EFT identifies all devices that connect to it via a combination of IP address, username, password, and 2nd factor authentication if configured. EFT also provides an IP access and ban list to filter unauthorized IP addresses.

IA-4

IDENTIFIER MANAGEMENT

3.5.5,3.5.6

Yes

IA-5

AUTHENTICATOR MANAGEMENT

3.5.1-2, 3.5.7-10

Yes

IA-7

CRYPTOGRAPHIC MODULE AUTHENTICATION

  

EFT provides a wide variety of encryption methods for KEX, transmission, message/data encryption and signing, receipt signing, and encryption of data at rest. Standards include SSL/TLS, FIPS, PGP, and so on.

IA-8

IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

  

EFT provides mechanisms for authentication and authorizing users that are not part of the organization, including self-provisioning, with full control and audit trail for administrator control.

IR-1

INCIDENT RESPONSE POLICY AND PROCEDURES

  

CR/IC

IR-4

INCIDENT HANDLING

3.6.1-2

CR/IC

IR-5

INCIDENT MONITORING

3.6.1-2

CR/IC

IR-6

INCIDENT REPORTING

3.6.1-2

CR/IC

IR-8

INCIDENT RESPONSE PLAN

  

CR/IC

MA-1

SYSTEM MAINTENANCE POLICY AND PROCEDURES

  

CR/IC

MP-1

MEDIA PROTECTION POLICY AND PROCEDURES

  

CR/IC

MP-2

MEDIA ACCESS

3.8.1-3

CR/IC

MP-4

MEDIA STORAGE

3.8.1-3

CR/IC

MP-5

MEDIA TRANSPORT

3.8.5-6

CR/IC

MP-6

MEDIA SANITIZATION

3.8.1-3

CR/IC

MP-7

MEDIA USE

3.8.7-8

CR/IC

PE-1

PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

  

CR/IC

PE-2

PHYSICAL ACCESS AUTHORIZATIONS

3.10.1, 3.10.2

CR/IC

PE-3

PHYSICAL ACCESS CONTROL

3.10.3-5

CR/IC

PE-4

ACCESS CONTROL FOR TRANSMISSION MEDIUM

3.10.1, 3.10.2

CR/IC

PE-6

MONITORING PHYSICAL ACCESS

  

CR/IC

PE-9

POWER EQUIPMENT AND CABLING

  

CR/IC

PE-10

EMERGENCY SHUTOFF

  

CR/IC

PE-11

EMERGENCY POWER

  

CR/IC

PE-12

EMERGENCY LIGHTING

  

CR/IC

PE-13

FIRE PROTECTION

  

CR/IC

PE-14

TEMPERATURE AND HUMIDITY CONTROLS

  

CR/IC

PE-15

WATER DAMAGE PROTECTION

  

CR/IC

PL-1

SECURITY PLANNING POLICY AND PROCEDURES

  

CR/IC

PL-2

SYSTEM SECURITY PLAN

  

CR/IC

PL-8

INFORMATION SECURITY ARCHITECTURE

  

While this is a customer responsibility, EFT security features support a defense-in-depth strategy.

PS-1

PERSONNEL SECURITY POLICY AND PROCEDURES

  

CR/IC

PS-2

POSITION RISK DESIGNATION

  

CR/IC

PS-3

PERSONNEL SCREENING

  

CR/IC

PS-4

PERSONNEL TERMINATION

  

CR/IC

PS-7

THIRD-PARTY PERSONNEL SECURITY

  

CR/IC

RA-1

RISK ASSESSMENT POLICY AND PROCEDURES

  

CR/IC

RA-2

SECURITY CATEGORIZATION

  

CR/IC

RA-3

RISK ASSESSMENT

3.11.1

CR/IC

RA-5

VULNERABILITY SCANNING

3.11.2,3.11.3

CR/IC

SA-1

SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES

  

CR/IC

SA-2

ALLOCATION OF RESOURCES

  

CR/IC

SA-3

SYSTEM DEVELOPMENT LIFE CYCLE

  

While this is a customer responsibility, EFT, as part of broader system, is based on a "security by design" principle. When configured properly and used with the corresponding DMZ Gateway product, the solution can be deployed in a matter that significantly reduces attack vectors, thus complying with this directive.

SA-4

ACQUISITION PROCESS

  

CR/IC

SA-8

SECURITY ENGINEERING PRINCIPLES

  

CR/IC

SA-9

EXTERNAL INFORMATION SYSTEM SERVICES

  

Globalscape's EFT software complies with many organizational information security requirements as defined in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-10

DEVELOPER CONFIGURATION MANAGEMENT

  

Globalscape's EFT software repository is subject to formal configuration management controls for source control, including revisions, access, builds, commits, etc.

SA-11

DEVELOPER SECURITY TESTING AND EVALUATION

  

Globalscape's EFT software undergoes security testing and evaluation by nature of all new feature designs or refactors being subjected to architectural oversight committees, code peer reviews, adherence to standards such as OWASP, and post build security assessment tools such as HTBridge and Qualsys

SC-1

SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

  

CR/IC

SC-2

APPLICATION PARTITIONING

  

While this is a customer responsibility, EFT separates admin and user functionality 

SC-4

INFORMATION IN SHARED RESOURCES

  

if configured properly, EFT's access controls prevent unauthorized information transfer. EFT also supports the ICAP protocol for integrating with 3rd party data loss prevention and classification systems, to further control information sharing.

SC-5

DENIAL OF SERVICE PROTECTION

  

EFT provides built in controls for mitigating the effects of DoS and Flood attacks.

SC-7

BOUNDARY PROTECTION

  

While this is a customer responsibility, Globalscape provides a secure smart proxy solution that can be coupled with EFT to protect the network boundary (DMZ).

SC-8

TRANSMISSION CONFIDENTIALITY AND INTEGRITY

  

EFT uses secure protocols to protect the confidentiality and integrity of transmitted information.

SC-12

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

  

Yes

SC-13

CRYPTOGRAPHIC PROTECTION

  

Yes

SC-15

COLLABORATIVE COMPUTING DEVICES

  

CR/IC

SC-17

PUBLIC KEY INFRASTRUCTURE CERTIFICATES

  

Yes

SC-19

VOICE OVER INTERNET PROTOCOL

  

CR/IC

SC-20

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

  

CR/IC

SC-21

SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

  

CR/IC

SC-22

ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

  

CR/IC

SC-23

SESSION AUTHENTICITY

  

EFT provides numerous internal controls for establishing and maintaining session authenticity and integrity, including support for various secure headers in compliance with OWASP recommended practices to mitigate against XFS, XSS, CRSS, etc.

SC-28

PROTECTION OF INFORMATION AT REST

  

Yes

SC-39

PROCESS ISOLATION

  

Yes

SI-1

SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

  

CR/IC

SI-2

FLAW REMEDIATION

  

CR/IC

SI-3

MALICIOUS CODE PROTECTION

  

EFT includes built-in Known-Answer-Tests (KAT), and CRC checksums on application startup for valid configuration.

SI-4

INFORMATION SYSTEM MONITORING

  

CR/IC

SI-5

SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

  

CR/IC

SI-7

SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

  

CR/IC

SI-10

INFORMATION INPUT VALIDATION

  

EFT provides comprehensive checks around input validation for both user and administrative functions.

SI-16

MEMORY PROTECTION

  

EFT includes several measures to protect against memory corruption as afforded by the compilation software which builds the object code that comprises the EFT solution.

Share Article

On a scale of 1-5, please rate the helpfulness of this article



Not Helpful
Very Helpful
Optionally provide additional feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 4 Years Ago
Last Modified By: kmarsh
Type: HOWTO
Rated 1 star based on 1 vote
Article has been viewed 5.6K times.
Options
Print Article
Export As PDF
Also In This Category
Tags
FEDRAMP
FISMA
NIST
Customer Support Software By InstantKB 2020 Final
Execution: 0.000. 7 queries. Compression Disabled.