FISMA Compliance

What is FISMA?

FISMA stands for the Federal Information Security Management Act (FISMA), A United States legislation signed in 2002 to underline the importance of information security to the economic and national security interests of the United States. FISMA requires federal agencies to develop, document, and implement an information security program to safeguard their information systems including those provided or managed by another agency, contractor, or another third party.

Who must be FISMA compliant?

All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors in cases where data is exchanged directly with Federal government systems.

How is FISMA compliance validated?

To ensure the adequacy and effectiveness of information system controls, FISMA requires agency program offi cials, chief information offi cers, chief information security offi cers, senior agency offi cials for privacy, and inspectors general to conduct annual reviews of the agency’s information security program and report the results to Department of Homeland Security (DHS).

In this context, all departments and agencies are required to coordinate and cooperate with the Department of Homeland Security as it carries out its cybersecurity responsibility and activities, including:

• Overseeing the government-wide and agency-specifi c implementation of and reporting on cybersecurity policies and guidance.
• Overseeing and assisting government-wide and agency-specifi c efforts to provide adequate, risk-based and cost-effective cybersecurity.
• Overseeing the agencies’ cybersecurity operations and incident response and providing appropriate assistance.
• Annually reviewing the agencies’ cybersecurity programs.
• Developing analyses for the Offi ce of Management and Budget (OMB) to assist in the development of the FISMA annual report. OMB uses this data to assist in its oversight responsibilities and to prepare its annual report to Congress on agency compliance with FISMA.

The compliance review and validation process consists in a three-step process:

1. Data feeds directly from security management tools
On a monthly and quarterly basis, agencies must connect to CyberScope, the FISMA online compliance tool and feed data in the following areas:

• Inventory
• Systems and Services
• Hardware
• Software
• External Connections
• Security Training
• Identity Management and Access

2. Government-wide benchmarking on security posture

A set of questions on the security posture of the agencies will also be asked in CyberScope. All agencies, except micro-agencies, will be required to respond to these questions in addition to the data feeds described above.

3. Agency-specifi c interviews As a follow-up to the questions described above, a team of government security specialists will interview all agencies individually on their respective security postures. These interviews will be focused on specifi c threats that each agency faces as a function of its unique mission.

NIST SP 800-53, Revision 4 (February 2012): Recommended Security Controls for Federal Information Systems and Organizations. This publication describes in detail the security controls associated with the designated impact levels of the organizational information systems.

How Fortidm can help you?

Fortidm has extensive experience partnering with federal departments and agencies to help them meet their regulatory requirements. Fortidm provides full end-to-end security solutions and services for government agencies and subcontractors to help them meet FISMA compliance using security control classes defined in FIPS 200 and described in detail in NIST SP 800-53 Revision 4.

In the context of FISMA, Fortidm can help agencies to:
Get a clear sense of the Real Risk posed by identified IT vulnerabilities and misconfigurations across your organization (RA)

• Quickly focus on items that pose the greatest risk (RA)
• Maintain the inventory of your systems, services, and applications (SA)
• Detect and report unauthorized software (SA)
• Perform comprehensive unified vulnerability scanning of all vital systems including networks, operating systems, web applications, databases, enterprise applications, and custom applications (RA)
• Efficiently identify misconfigurations and vulnerabilities so they can meet security policies, laws, and regulations (CM)
• Monitor software installation policies (SA)
• Audit users and groups on your systems (PS)
• Discover accounts that were terminated (PS)
• Manage remediation plans (SI)
• Support incident responses by providing details on vulnerabilities and misconfi gurations that were exploited, as well as remediation steps to prevent future exploits (IR)
• Validate enforcement of access restrictions (AC)
• Test external and internal boundaries defenses (SC)
• Deliver auditable and reportable events on vulnerabilities throughout the infrastructure (AU)

In addition, Fortidm can meet FISMA requirements by creating CyberScope reports based on USGCB and FDCC checklists. Federal agencies and contractors must use certified CyberScope solutions in order to submit their monthly FISMA reports. Fortidm’s penetration testing services are helping the enterprise vulnerability management program and test how well their perimeter holds up against real world attacks.