Audit and Compliance / Vanguard Configuration Manager

Attention: open in a new window.

Source documents requiring Federal Agencies and their Outsourcers to report on compliance with the DISA STIGs for mainframes.

Vanguard Configuration Manager™ provides the fastest, most cost-effective and accurate method to verify that mainframe security configuration controls are in compliance with the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) developed for the Department of Defense (DoD). Organizations using Vanguard Configuration Manager can perform mainframe DISA STIG checks and report findings in just a few hours instead of the hundreds or thousands of hours it may take using standard methods.

Under the Federal Information Security Management Act (FISMA), and National Institute of Standards and Technologies (NIST) standards and guidelines, all U.S. government agencies and contractors with IBM z/OS mainframes systems should test their security configuration controls to assess their accordance with the DISA STIG. Testing a mainframe system for DISA STIG compliance can be an extremely difficult and time-consuming process. With Vanguard Configuration Manager™, it’s almost easy.

Vanguard Configuration Manager™ has efficient automation capabilities and built-in comprehensive intelligence about the mainframe DISA STIG checks. Plus, it enables organizations to easily move to continuous monitoring from periodic compliance reporting.

Highlights

Dramatically reduces costs of DISA STIG configuration testing and reporting.
Significantly enhances mainframe security.
Provides built-in intelligence about mainframe DISA STIG details.
Automates testing on more than 300 mainframe DISA STIG checks.
Produces accurate DISA STIG compliance reports in minutes.
Enables migration to continuous monitoring.
Easy to deploy and use.
Reduces human error in the DISA STIG reporting process.
Developed by security experts in the United States.
Current release supports z/OS RACF; upcoming releases will support z/OS ACF2 and z/OS TSS.

FISMA Requirements for Information and Information Resources

OMB FY 2010 Reporting Instructions for the Federal Act and Agency Privacy Management
NIST Standards and Guidelines
“11. Is use of National Institute of Standards and Technology (NIST) publications required?”

“Yes. For non-national security programs and information systems, agencies must follow NIST standards and guidelines. For legacy information systems, agencies are expected to be in compliance with NIST standards and guidelines within one year of the publication date unless otherwise directed by OMB. The one year compliance date for revisions to NIST publications applies only to the new and/or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to be in compliance with the NIST publications immediately upon deployment of the information system.”
See OMB M-10-15

“Technical Security. Agencies should assure that each system appropriately uses effective security products and techniques, consistent with standards and guidance from NIST.” See OMB Circular A-130, Appendix III

The NIST standard and guidance on security configuration control checklists: “Federal agencies are required to use appropriate security configuration checklists from the National Checklist Program when available.” See NIST SP 800-70, pages ES-1 and ES-2

Vanguard Configuration Manager scans your mainframe system and reports on configuration control compliance with the DISA-STIGs. The DISA-STIGs for Mainframes are the checklists for mainframes in the National Checklist Program. See the National Vulnerability Database National Checklist Program.

Read about the NIST FISMA implementation Project. http://csrc.nist.gov/groups/SMA/fisma/index.html