United States Congress
16 July 2019

Synack, The Only Crowdsourced Security Testing Platform to Comply with the NDAA and FISMA

Paul Mote

I started my career as an engineer at top defense contractors General Dynamic Information Technology (GDIT) and FireEye. I joined Synack because I believed in the mission of Crowdsourced Security Testing and saw its potential for keeping Americans safe. After two years of deep experience with Synack working closely with 15 government agencies and numerous government contractors, it became obvious that FISMA audit demands were increasingly weighing on federal agencies. We didn’t want agencies to have to duplicate their testing efforts just to fulfill audit requirements, so we started work to integrate FISMA into our crowdsourced security testing process. Today, I’m happy to say that Synack is the only Crowdsourced Security Testing company to fulfill FISMA audit goals and give a true, results-driven security assessment.

Defining FISMA and the National Institute of Standards and Technology (NIST) SP 800-53 Rev 4

Under the Federal Information Security Management Act (FISMA), federal agencies are responsible for their information security practices and required to conduct annual reviews in order to reduce security risks. The National Institute of Standards and Technology (NIST) came out with guidelines called (NIST) SP 800-53 Rev 4 to help agencies achieve FISMA compliance. The NIST Special Publication 800-53, Revision 4 provides a catalog of security controls for federal information systems and organizations and assessment procedures. These controls now overlap with SOC, HIPAA, and FedRAMP compliance frameworks.

Here is what an example compliance checklist could look like for a customer looking to reach FISMA compliance. Synack can contribute NIST 800-53 guidelines on Web, Host, Cloud, Mobile and API assets.

FISMA compliance checklist

Synack is the first Crowdsourced Security Testing Company to offer FISMA Compliance

Synack has helped customers reach compliance for years as the leading provider of penetration testing in the Crowdsourced Security Testing category. Synack was the first company to bring a Crowdsourced Penetration Testing product to market, thanks to the focus given to it by co-founders Mark Kuhr and Jay Kaplan, former NSA and DoD security experts turned visionary entrepreneurs in the cybersecurity industry. Synack is also the first crowdsourced security company to be trusted with sensitive, internal assets from the Department of Defense as part of Hack the Pentagon. With the launch LP+, Synack will become the first and only crowdsourced security platform with endpoint control. Finally, Synack is the first hacker-first powered platform to scale using Artificial Intelligence to support government customers. Building upon these “firsts”, Synack is now also the first to offer FISMA compliance.

40% of organizations do not believe that their security posture has improved following a compliance audit (State of Security and Compliance, 2019), which shows the need for organizations to go beyond the minimum, static compliance audit conducted once a year. Security needs to be effective, continuous and rigorous in order for it to be trusted.

NIST 800-53 Report

Synack’s Client Report with NIST 800-53 security controls is available via the customer portal.

Synack now offers the market’s first comprehensive Crowdsourced Penetration Test designed specifically for government, by offering a bug bounty-based vulnerability discovery model coupled with NIST 800-53 guidelines. Instead of a small internal team or a couple of contractors, you can harness some of the best talent available to improve your security posture. As part of our new NIST 800-53 offering, Synack will leverage the world’s most talented ethical hackers to run missions to provide centralized results, quantifiable metrics, pentests at scale, compliance checklists, audit-quality report and deployment within 72 hours. All of these features will be combined in a single intelligence platform. The Security Control identifiers are broken down into the respective controls and families. Synack can now help address 6 of the 18 Security control families.

Government Policy including NDAA language promotes use of Crowdsourced Security Testing

The momentum around crowdsourced security testing is strong as the federal government heads into the last quarter of the 2019 fiscal year. Crowdsourced Security Testing has been heralded as an effective, efficient, and safe way to achieve compliance and identify vulnerabilities in the civilian and military sectors alike. NIST 800-53 is closely related to NIST SP 800-171, which is the Department of Defense’s answer to a common security standard for component agencies and contractors.

In June and July of this year respectively, the House NDAA and the Senate encouraged Crowdsourced Security Testing (CST) to be widely adopted across the Department of Defense. The exact language reads, “Resources given to the program are insufficient to address the sheer size and scope of potential vulnerabilities. Therefore, in order to better secure the Department (of Defense) from cyberattacks and vulnerabilities, the committee encourages the Department to broaden its use of third party crowdsourced security platforms.” This follows recommendations from the DoD and the White House in the past year.

Get in touch with us!

We know civilian and military customers are looking for creative and innovate security tests that are comprehensive for quality and compliance, can be deployed quickly, and produce real results as the 2019 Government Fiscal year comes to a close. While many Crowdsourced Security Testing players may lay claim to Crowdsourced Penetration Testing, Synack is the only one that can be used for true FISMA compliance. Synack also provides increased security and controls through its recent launch of LaunchPoint+, which have made Synack the only Crowdsourced Security Testing platform with endpoint control.

Please contact Synack’s Federal Team for more information at [email protected]!