Security Management Software for Government Agencies

Say Goodbye to Security Breaches

NIST Validated and SCAP Enabled

Most security breaches and attacks occur at the endpoint. Endpoints that are not up-to-date with the most current patches and configurations are vulnerable, and unmanaged removable media and applications can easily open the floodgates for data to escape into the wrong hands. The threat of data exposure and network instability or disruption comes from outside the agency walls as well as from within.

While many government agencies have established endpoint security policies, they do not have the right security management software to enforce them. Many users continue to run software that is either unauthorized or is without the latest patches, remove data from agency networks and download infected or inappropriate files, which can expose vulnerabilities that enable the theft or loss of critical information. Recent security violations have sparked legislative requirements and standards-based protocols around security controls and data protection that impact both Civilian and DOD agencies.

Lumension Security’s Vulnerability Management Solution has been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards.

Civilian Solutions: Comply with Endpoint Security Mandates and Protocols

Federal Information Security Management Act (FISMA) Compliance - primary legislation governing the management of federal information security.
Office of Management and Budget (OMB) M06-16 Mandate - requires agencies to establish safeguards for sensitive data on laptops and desktops.
Federal Desktop Core Configuration (FDCC) - security configuration standards developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS) that are mandated by OMB M07-11.
Security Automation Content Protocol (SCAP) - repository of security content used for automating technical control compliance activities, vulnerability checking of both application misconfigurations and software flaws, and security measurement.

DOD Solutions: Comply with Endpoint Security Mandates and Protocols

Director of Central Intelligence Directive (DCID) 6/3 - establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems.
Information Assurance Vulnerability Alerts (IAVA) - computer application software or operating system vulnerability security bulletin, determined by JTF-GNO, which alerts on "High-Risk/Threat" vulnerabilities.

Security Management Software That Secures Critical Information at the Endpoint

By automatically identifying and remediating security and operational vulnerabilities and enforcing application and device use policies at the endpoint, Lumension’s security management software enables government organizations to reduce the risk of network instability and protect the confidentiality and integrity of sensitive data. Lumension solutions include:

PatchLink Update™ - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
PatchLink Scan™ - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
PatchLink Security Configuration Management™ - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
PatchLink Developers Kit™ - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address Zero-day threats, patch custom software and more.
PatchLink Enterprise Reporting™ - Robust data warehouse that enables easy creation and sharing of reports on all aspects of your remediation efforts in support of policy compliance.
Sanctuary® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
Sanctuary® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Lumension Security Management Software Helps Government Bodies to:

Comply with requirements for safeguarding the integrity and availability of sensitive data and IT assets
- Remove the risk of classified data from being improperly disclosed
- Prove compliance with DCID 6/3 and OMB M06-16 by providing a detailed audit trail of all device and application execution attempts, by tracking data that is copied to and from removable devices and by controlling what data is allowed to be copied to a device at the file level
- Patch and remediate vulnerabilities before they can be exploited to access sensitive data
- Control and monitor the flow of inbound and outbound data with removable media and devices
- Identify organizational security holes in the protection of information through comprehensive auditing capabilities
Comply with security configuration requirements as outlined by the FDCC and mandated by OMB M07-11
- Map technical controls to policies through the import of SCAP documents
- Identify non-compliant security configurations through comprehensive network and agent-based scanning capabilities
- Enforce and maintain required security configurations through rapid remediation of non-compliant machines
- Prove compliance with OMB M07-11 by providing high level and detailed reports of enterprise endpoint configurations
Meet strict international requirements posed by the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS)
Prevent malware execution originating at an endpoint
- Protect against network security breaches where agency data could be exposed to fraud
- Enable the transmission, integrity, confidentiality and retention of sensitive data without disruption, corruption or loss
Improve IT system performance
- Prevent unwanted applications and devices from burdening network bandwidth
- Enable faster computing resources on network, laptops and PCs
- Maintain PCs’ performance as new with configurations remaining stable
Reduce endpoint security TCO
- Minimize security or DCID 6/3, OMB M06-16, and OMB M07-11 compliance crisis response
- Remediate vulnerabilities more quickly and with fewer required resources
Improve end user productivity
- Block unwanted, non-business desktop applications
- Enforce policy to ensure endpoints run as expected
Enforce software license compliance within the agency

Lumension Security Government Contracts

GWAC contracts include:

GSA
NASA
SEWP IV
ECS III

US Seals

DCID 6/3 Compliance

The Director of Central Intelligence Directive (DCID) 6/3 establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems - http://www.fas.org/irp/offdocs/dcid-6-3-manual.pdf. To achieve compliance with DCID 6/3, agencies must ensure that information is safeguarded at all times and that appropriate security measures are in place to ensure the confidentiality, integrity and availability of that information.

Lumension’s Endpoint Security and Vulnerability Management Solutions Enable Agencies to Comply with DCID 6/3

Lumension’s Endpoint Security and Vulnerability Management Solutions ensure that agency information is secured in compliance with DCID 6/3 requirements.

Lumension’s solutions ensure the confidentiality and integrity of agency data by:

Enforcing granular application and removable device usage policies
Enforcing encryption when data is copied to removable media
Providing detailed auditing information including the flow of data read from or written to a removable device and all application and device access attempts, including administrator actions
Discovering all enterprise IT assets and vulnerabilities and providing actionable information
Remediating vulnerabilities to ensure that system and data exposure is minimized
Enterprise-wide reporting of all patch and remediation activities to ensure that desired security postures are maintained

Lumension solutions include:

Endpoint Security Solutions:

Sanctuary® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
Sanctuary® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Vulnerability Management Solutions:

PatchLink Scan™ - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
PatchLink Update™ - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.

Through vulnerability assessment, remediation and endpoint control, Lumension Security solutions complement an organizations’ DCID 6/3 compliance strategy by implementing the proper safeguards around the confidentiality, integrity and availability of intelligence information:

DCID 6/3 Requirements

How Lumension Solutions Address DCID 6/3 Requirements

Intelligence information shall be appropriately safeguarded at all times, including when used in information systems, which shall be protected. Safeguards shall be applied such that:

individuals are held accountable for their actions
information is accessed only by authorized individuals and processes
information is used only for its authorized purpose(s)
information retains its content integrity
information is available to satisfy mission requirements
information is appropriately marked and labeled

Lumension’s Endpoint Security and Vulnerability Management solutions ensure that intelligence information is appropriately safeguarded:

Lumension’s Endpoint Security Solutions:

Assure user compliance with endpoint security policies governing application and device control. Detailed auditing capabilities ensure that individuals are held accountable for their actions with regards to application and removable device usage.
Enable temporary or scheduled removable device access per established policies.
Record filename or complete file that is read from and/or written to a removable device to contain data leakage.
Enable agencies to define and enforce policies regarding which users or user groups have access to specific applications and/or removable devices.
Enforce granular device control permission settings, including read/write, scheduled access, temporary access, online/offline, I/O bus type, HDD/non-HDD devices and more.
Prevent unwanted and malicious code from executing on agency systems, protecting content and system integrity.

Lumension’s Vulnerability Management Solutions:

Discover IT assets that are vulnerable to exploitation
Remediate vulnerabilities rapidly to prevent systems and data from being exposed
Automatically enforce mandatory baselines across agency endpoints to ensure that critical vulnerabilities are patched

Appropriate security measures shall be implemented to ensure the confidentiality, integrity, and availability of that information. The mix of security safeguards selected for systems that process intelligence information shall ensure that the system meets the policy requirements set forth in this policy and its implementation manual.

Information systems security shall be an integral part of all system life-cycle phases for all systems.
The security of systems shall be reviewed whenever changes occur to missions, information systems, security requirements, or threat, and whenever there are significant adverse changes to system vulnerabilities.
Appropriate authorities, as defined in the Manual, shall be immediately notified of any threats or vulnerabilities impacting systems that process their data.
All ISs are subject to monitoring consistent with applicable laws and regulations, and as provided for by agency policies, procedures, and practices. As a minimum, monitoring will assess the adequacy of the confidentiality, integrity, and availability controls.

Lumension’s Endpoint Security and Vulnerability Management solutions ensure the confidentiality, integrity and availability of intelligence information:

Lumension’s Endpoint Security Solutions:

Enable only authorized applications or removable devices to be accessed on agency machines.
Secure sensitive agency data by encrypting data that is moved onto a removable device.
Remove the risk of large pieces of confidential data leaving the network by enabling restrictions on the amount of data copied to a removable device on a per-user basis
Reduce risk on unwanted files from entering or leaving the network by controlling the types of files that are moved to or from removable devices.
Assure consistent monitoring and reporting of application and device usage or attempts by authorized and unauthorized users, including administrator actions.
Record filename or complete file that is read from and/or written to a removable device to contain data leakage.

Lumension’s Vulnerability Management Solutions:

Discover IT assets that are vulnerable to exploitation
Remediate vulnerabilities rapidly to prevent systems and data from being exposed
Automatically enforce mandatory baselines across agency endpoints to ensure that critical vulnerabilities are patched

FISMA Compliance

The National Institute of Standards and Technology (NIST) 800-53 provides recommended security controls of federal information systems and is used to determine the baseline security controls for the system. Federal IT systems must adhere to these security guidelines to comply with FISMA.

Lumension’s Endpoint Security and Vulnerability Management Solutions Enable Agencies to Comply with FISMA

Lumension Security’s common Criteria Certified EAL2+ Endpoint Security and Vulnerability Management Solutions have been helping agencies meet the challenges of FISMA compliance for years. These solutions include:

PatchLink Security Configuration Management™ - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
PatchLink Scan™ - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
PatchLink Update™ - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
Sanctuary® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
Sanctuary® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Lumension Security’s Endpoint Security and Vulnerability Management Solutions were designed with FISMA compliance in mind, providing:

Complete asset and vulnerability discovery
Thorough risk assessment & prioritization
Enforcement of security configurations
Robust vulnerability remediation
Accurate verification of security posture
Policy-based removable device control
Detailed audit trail of all data read from or written to removable devices
Actionable reports to show policy compliance

Lumension Security policy-based solutions were designed to enforce and maintain desired security postures across complex and heterogeneous government IT environments and to show compliance with FISMA security control standards. One of the largest federal government agencies employs Lumension solutions to achieve FISMA compliance on over 250,000 enterprise devices.

IAVA Compliance

Lumension Security has been serving the Department of Defense for many years helping the U.S. Army achieve IAVA compliance across their network. Through this long standing relationship Lumension Security provides the most robust coverage in the industry with granular detail for all types of IAVA’s, including:

DOD IAVA’s
AFCERT IAVA’s
NAVCIRT IAVA’s
ACERT IAVA’s
IAVA’s for each branch of the military

Lumension’s team of security engineers is engaged with DOD entities like the JTF-GNO and the AKO to provide extensive and up-to-date information on IAVA’s, which are included in every Lumension Security Vulnerability Management Solution release.

Lumension Security Vulnerability Management Solution, which includes award-winning products such as PatchLink Update and PatchLink Scan:

Enables the DOD to rapidly and accurately identify and remediate IAVAs
Offers numerous ways to categorize the IAVA database to quickly identify the specific information required
Cross references IAVA’s to industry standard tracking mechanisms such as MS number or CVE number
Supports all major platforms including Windows, Unix, Linux, Mac and POSIX

The below graphic, highlights examples of DOD IAVA’s tracked by Lumension Security Vulnerability Management Solution.

DOD IAVA Graphic

OMB M-06-16 Compliance

Office of Management and Budget M-06-16 Mandate requires agencies to establish safeguards for sensitive agency data on laptops and workstations - http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf. To achieve compliance with the M-06-16 Mandate, agencies must enforce security measures that safeguard the integrity and availability of sensitive agency information at the endpoint.

Lumension’s Sanctuary Helps Agencies Comply with M-06-16 for Endpoint Security

Lumension’s Sanctuary Device Control ensures confidentiality and integrity of agency data on laptops and workstations by enforcing encryption when copied to removable media and by controlling what devices are used by whom and on what machines. Sanctuary helps agencies prove M-06-16 compliance through bi-directional Shadowing capabilities which detail what information has been transferred to and from a workstation to removable media. With Sanctuary, only authorized users can copy data onto encrypted removable media with complete auditing of that action.

By employing a whitelist approach, Sanctuary is uniquely capable of enforcing application and device usage and control policies, which enables only authorized applications and devices to run or connect to a network, server, terminal services server, laptop, thin client or desktop – facilitating security and systems management, while providing necessary flexibility to the agency to easily enable the use of new/upgraded applications or devices.

Through policy-based control at the endpoints to monitor and control the inbound and outbound flow of sensitive agency information, Sanctuary complements organizations’ M-06-16 compliance strategy by implementing the proper internal safeguards around application and removable device use:

M-06-16 Requirements	How Sanctuary Addresses M-06-16 Requirements
Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive.	Sanctuary secures sensitive agency data by encrypting data that is moved onto a removable device.
Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.	Sanctuary provides comprehensive audit logs that detail what data has been moved onto a specific device and by which user.

FDCC compliance

The Federal Desktop Core Configuration, developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS), provides a set of security configuration standards by which all federal agencies must adhere to as mandated by the Office of Management and Budget.

Lumension Security enables agencies to comply with FDCC standards by providing a Security Content Automated Protocol (SCAP) Validated FDCC Scanner that assesses, standardizes and reports against required configurations. Lumension’s SCAP validation can be viewed at http://nvd.nist.gov/scapproducts.cfm#scapproducts.

Securing Endpoint Configurations and Enabling FDCC Compliance

Lumension Security’s Vulnerability Management Solution ensures that agency endpoint configurations are compliant with the standards outlined in the FDCC. Through import of SCAP policy templates, network and agent-based scanning, policy enforcement and enterprise reporting, Lumension’s Vulnerability Management Solutions automatically check the security properties of network devices and effectively map security configuration controls to these enterprise endpoints to enforce proper configurations and report against FDCC requirements to prove compliance.

Lumension Security’s Vulnerability Management Solution includes:

PatchLink Security Configuration Management™ - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
PatchLink Scan™ - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
PatchLink Update™ - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.

By delivering a comprehensive vulnerability management solution that includes an SCAP Validated FDCC Scanner, Lumension Security enables federal agencies to:

Manage Policy – Define, edit and import/export security configuration policies from SCAP documents
Assess Policy – Assess and apply appropriate policies to applicable systems in a flexible manner
Enforce Policy – Enforce and maintain required security configurations by automating the remediation process of non-compliant machines
Report Policy Compliance – Report on policy compliance with required security configurations, including high level and detailed views of the enterprise endpoint configurations, such as total percent of compliant vs. non-compliant machines, detailed information on individual devices and many more

Security Content Automation Protocol (SCAP)

Sponsored by the National Institute of Standards and Technology (NIST), SCAP is a repository of security content used for automating technical control compliance activities, vulnerability checking of both application mis-configurations and software flaws, and security measurement. The primary output from SCAP are security checklists in a standard eXtensible Markup Language format that agencies (and vendors) can use via automated commercial products to help build, operate, measure and maintain secure systems according to official government security recommendations. Each security checklist contains instructions for configuring information technology products for an operational environment or verifying that an information technology product is already securely configured.

SCAP Validated FDCC Scanner Ensures Compliant Agency Configurations

Lumension Security’s Vulnerability Management Solution automates the management of security configurations via the import/export of SCAP checklists, discovery of assets and vulnerabilities, defining of policies, enforcing those policies and reporting compliance effectiveness against the standards set forth by NIST and used by the US Department of Defense, National Security Agency and other departments. Lumension Security’s Vulnerability Management Solution includes:

PatchLink Security Configuration Management™ - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
PatchLink Scan™ - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
PatchLink Update™ - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.

SCAP Standards include OVAL, CVE, CPE, CVSS, CWE, CCE, CRF and XCCDF

Lumension Security’s SCAP Validated and award-winning product portfolio has been declared or certified compliant in the following areas:

Vulnerability and Assessment Language (OVAL).
- Lumension solutions compatible with OVAL since October, 2006
- Lumension is one of only three companies listed on the Official OVAL Compatible Products page to have five or more tested compatibilities
Common Vulnerablitities and Exposures (CVE)
Common Platform Enumeration (2.0) (CPE)
Common Vulnerability Scoring System (2.0) (CVSS), including support for temporal and environmental scores
Common Weakness Enumeration (CWE), used as a filtering mechanism for CVE
Common Configuration Enumeration (CCE), used in XCCDF and in remediation packages
Common Result Format (CRF), actively involved in defining this new intiatives. We encouraged this initiative by proposing a Service Orientated Architecture for CVEs in December 2006
Extensible Configuration Checklist Description Format (XCCDF)

Leader in Development of SCAP Standards

Lumension Security is a leader in the development of standards including proposing a format for SCAP Remediation in August 2006 and a database pattern for all (current and future) SCAP documents, results and reports.

OVAL Remediation a future Common Remediation Language (CRL), presented at OVAL Developers days in the summer of 2006
Use the link at the bottom of this page to download the SCAP Database Model Proposal made in September 2007, a future Common Database (CDB)

Government Testing Credentials

Along with being Common Criteria EAL 2+ Certified, Lumension Security’s solution is Section 508 compliant, CVE compatible and has a current Authorization To Operate (ATO) on many federal government agency networks.

Certified and Approved, Supporting a Wide Range of Standards

Lumension solutions have gone through substantial testing to achieve certification and approval from a long list of regulatory bodies and federal agencies:

Products	Common Criteria EAL2	Army TIC Approved	CSIA Claims Tested	DIPCOG	US Dept. of Commerce Approved	Army and Navy Approved	DHS Safety Act Certified
Sanctuary Application and Device Control
Vulnerability Management Solution (Consisting of PatchLink Security Management Configuration, PatchLink Scan and PatchLink Update)

Lumension Security’s solutions have also been tested by the top labs in the US including:

Army Technology Integration Center
Naval Research Labs
Air Force CITS group
Department of State’s Configuration Control Board
Federal Emergency Management Agency
National Oceanic Atmospheric Agency CERT
National Aeronautical Space Agency ASUS Team

Quick Product Search: