Integrating Vulnerability Assessments with Security Control Compliance
Abstract
Information technology providers must implement security controls to protect client and partner data, as well as comply with government security requirements. The preparation of security compliance documentation is a slow process due to the manual efforts involved. We present SSP Manager, a framework that streamlines compliance and supports the building and maintenance of System Security Plans. The tool integrates vulnerability assessment, program analysis, and control monitoring by i) implementing a security control prioritization strategy that outputs NIST SP 800-53 controls to mitigate MITRE ATT\&CK techniques, ii) by incorporating reachability analysis of Python dependencies to filter out false positives from vulnerability scan results, and iii) by providing compliance monitoring of functionality based on Chef’s InSpec testing framework and the Open Policy Agent policy engine. Test reports are generated in a machine-readable format for easy integration into automated compliance pipelines. Our work bridges the gap between vulnerability assessment and security compliance. Moreover, it reduces the manual overhead in security workflows.
Integrating Vulnerability Assessments with Security Control Compliance
Information technology providers must implement security controls to protect client and partner data, as well as comply with government security requirements. The preparation of security compliance documentation is a slow process due to the manual efforts involved. We present SSP Manager, a framework that streamlines compliance and supports the building and maintenance of System Security Plans. The tool integrates vulnerability assessment, program analysis, and control monitoring by i) implementing a security control prioritization strategy that outputs NIST SP 800-53 controls to mitigate MITRE ATT\&CK techniques, ii) by incorporating reachability analysis of Python dependencies to filter out false positives from vulnerability scan results, and iii) by providing compliance monitoring of functionality based on Chef’s InSpec testing framework and the Open Policy Agent policy engine. Test reports are generated in a machine-readable format for easy integration into automated compliance pipelines. Our work bridges the gap between vulnerability assessment and security compliance. Moreover, it reduces the manual overhead in security workflows.