© 2020 The MITRE Corporation. All rights reserved. |1| InSpec Profiles* and HDF** include NIST SP 800 -53 Security Control associations DRAFT March 2020 * built within the saf.mitre.org ** Heimdall Data Format |2||2| Background –InSpec Profile Development Tool Chain Validation Profiles System(s) Under Evaluation InSpec Engine Master Nodes (3) Ingest Nodes (X) Data Nodes -Hot (X) Data Nodes -Warm (X) Validation Results Vendor Security Checklist DISA STIG CIS Benchmarks Automated Conversion Human Code Completion/Refinement Implementation Guides Inspec_tools https://inspec - tools.mitre.org/ Security Testing Content Development https://github.com/ mitre/ (*baseline) Security Validation as Code Execution Data Mapping and Visualization Tools https://heimdall - tools.mitre.org/ https://github.com/ mitre /heimdallhttps:// Heimdall - lite.mitre.org CCE, CVE, Least Functionality Tests CWE Tests Static & Dynamic Code Analysishttps://github.com/ mitre/vulcan 2“HDF”, the Heimdall Data Format Includes NIST SP 800 -53 associations for each test!|3| Background: The Heimdall Data Format (HDF) Originally based on the InSpec JSON results reporter format, we have extended and standardized it as the means of recording and transporting (i.e., via Splunk) security data from any source: InSpec profiles, SonarQube, Fortify, OWASP ZAP, etc. HDF JSON File Schema: https://github.com/mitre/inspecjs/blob/ master/schemas/exec -json.json HDF Splunk Schema: https://github.com/mitre/hdf -json -to- splunk#control -event -structure We are currently extending Heimdall_tools to convert output from Burp Suite Pro, Nessus, Nikto, Sneak, NetSparker, etc. to HDF.|4| Use Case 1 of 3: DISA STIG to InSpec Profile (with NIST SP 800 -53) DISA STIG|5| DISA STIG Source https://public.cyber.mil/stigs/ DISA STIG|6| Example DISA STIG https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating -systems%2Cunix -linux |7| One of 200+ requirements in the DISA RHEL7 STIG: This V -71935 is the unique ID for this requirement/test! DISA STIG authors associate each requirement/test to a CCI ( STIG in XML form found in the ZIP download file: U_Red_Hat_Enterprise_Linux_7_STIG_V1R4_Manual -xccdf.xml )|8| CCIs are DISA’s Control Correlation Identifiers https://public.cyber.mil/stigs/cci/|9| Each CCI maps to one or more NIST SP 800 -53 Controls CCI-000205 is associated with… …IA-5 (1) NIST SP 800 -53 Security Control (Enhancement) ( CCI list in XML form found in the ZIP download file: U_CCI_List.xml )|10| |10| MITRE’s InSpec_tools Generates the STIG InSpec Profile Structure Validation Profiles DISA STIGAutomated Conversion Inspec_tools https://inspec -tools.mitre.org/10 Validation Profile Structure with Associated NIST SP 800 -53 Security Controls! Human Code Completion/RefinementU_Red_Hat_Enterprise_Linux_7 _STIG_V1R4_Manual -xccdf.xml (with CCI associations)DISA’s U_CCI_List.xml (map of CCIs to NIST)https://dl.dod.cyber.mil/wp -content/uploads/stigs/zip/u_cci_list.zip https://github.com/mitre/ inspec_tools /blob/master/lib/data/U_CCI_List.xml