Jun 29, 2020 Security

Ramping up security options with new NIST 800-53 Mappings

By Arlen Baker

Arlen-Baker-Photo

More than ever, organizations must balance a rapidly evolving cyber threat landscape against the need to fulfill business requirements.”   To that extent, Wind River has NIST 800-53 Revision 4 mappings for VxWorks, Wind River Linux, and Wind River + Star Lab Titanium showing 100% coverage of the applicable controls.

These mappings are in a database format, so that they can be directly consumable by our customers’ requirements management tool for their efforts in showing compliance to the allocation of the controls to their system.  Our mappings are expanding on our on-going Security Technical Implementation Guide (STIG) work for both VxWorks and Wind River Linux.  This ensures maximum value to our customers and minimizes disruption to the configuration of their platforms.

We took the database formatted file from the NIST website, and analyzed the 1,682 rows resulting in the following categories of controls (these categories are not to be confused with the defined “families”).

• Controls responsible that the organization is responsible for (Organization)

• Controls that have been withdrawn but are listed to maintain consistency across releases (Withdrawn)

• Statements that read “The organization:” (Organization Header)

• Statements that read “The information system:” (Information Header)

• Controls that are purposely broad that require a design decision by the customer (Customer Policy)

• Controls applicable to an information system of which Wind River products provide the foundation for (Applicable Controls)

This can be graphically represented as follows:

Our approach to this mapping for the applicable controls is as follows:

1)     Itemize the list of the security features in our platforms

2)     Map the security feature to the applicable controls

This approach provides the finest level of granularity to the customer in showing which security features are required based on the 800-53 control.

Linux provides a unique challenge due to its sheer number of packages.  Wind River Linux has over 2,200 integrated and tested packages.  In an effort simplify the compliance effort, we have grouped similar security-related packages together and mapped these package groups to the controls as listed in Table 1.  This enables maximum flexibility in selecting the desired package to meet the control based on their system design.

Table 1. Linux Package Groups

We also provide a mapping of Wind River Linux with Star Lab’s Titanium.  This combination not only shows 100% compliance to the applicable controls, but provides for a hardened Linux Kernel, access controls, and process protections.

To access these mappings, please contact your Wind River Account Manager or contact us here.

It should be noted that the NIST 800-53 controls are going through a revision (from rev 4 to rev 5).  This revision is in final draft form and is pending release from NIST.  Wind River is tracking this revision and will be providing updates following the finalization of this release.

Previous Optimism Beyond COVID-19
Next How the Operating System Segment fits into the FACE architecture