FISMA Overview
The Federal Information Security Management Act (FISMA) of 2002 works to ensure government computer and network security by requiring specific yearly audits of information system owned or operated by a federal agency or it's affiliates. Applicable systems must follow mandatory procedures as defined by a combination of sources such as:
- Federal Information Processing standards (FIPS)
- National Institute of Standards and Technology (NIST)
- Health Insurance Portability and Accountability Act (HIPAA)
- Office of Management and Budget (OMB)
One such source, the SP-800 series of publications developed by NIST, defines recommended computer and network security controls. NIST breaks down the most vital areas of security control into three main categories: technical, operational, and management related. These categories are further divided into the following specific areas of control, called families.
| IDENTIFIER |
FAMILY |
CLASS |
| AC |
Access Control |
Technical |
| AT |
Awareness and Training |
Operational |
| AU |
Audit and Accountability |
Technical |
| CA |
Certification, Accreditation, and Security Assessments |
Management |
| CM |
Configuration Management |
Operational |
| CP |
Contingency Planning |
Operational |
| IA |
Identification and Authentication |
Technical |
| IR |
Incident Response |
Operational |
| MA |
Maintenance |
Operational |
| MP |
Media Protection |
Operational |
| PE |
Physical and Environmental Protection |
Operational |
| PL |
Planning |
Management |
| PS |
Personnel Security |
Operational |
| RA |
Risk Assessment |
Management |
| SA |
System and Services Acquisition |
Management |
| SC |
System and Communications Protection |
Technical |
| SI |
System and Information Integrity |
Operational |
How it affects you
FISMA mandates that federally owned or operated information systems must be documented, assessed for risk, and assigned a resultant set of security procedures. Yearly audits then assess the system and its security controls, awarding accreditation if all requirements are met. An accredited system must then continue to monitor and document certain security controls in order to retain its accreditation.
Each of the above families is comprised of security controls represented by unique identifiers. Depending on the classification of assets and facility the level of control auditing required and/or implemented may change. For a complete list of families, related security controls, and their identifiers, please see NIST SP 800-53 below.
The following list represents the current guidelines and standards currently associated with FISMA.
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems
- NIST Special Publication 800-30, Revision 1, Risk Assessment Guideline
- NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
- NIST Special Publication 800-39, NIST Risk Management Framework
- NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems
- NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
- NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
How we can help
Secure Vantage builds products that can help you meet the requirements of FISMA and other government security standards by using Microsoft System Center and Operations Manager. The following information summarizes specific samples of how these solutions can help you support FISMA auditing requirements.
| FISMA Security Control Families |
Secure Vantage Technology Alignment |
| Access Control |
AC-2 through AC-15, AC-17 through AC-20: Track and report on user account creation, permission changes, logon activity and general access control events across Windows systems. |
| Awareness and Training |
AT-2, AT-3: Leverage embedded knowledge guidance compiled from industry experts, Microsoft security guides and specific FISMA special publication content. |
| Audit and Accountability |
AU-2 through AU-11: Maintain audit trails and monitor security logs as required. Enforce accountability for IT administrators, automate control alerting and implemented routine report review processes. |
| Certification, Accreditation, and Security Assessments |
CA-2, CA-7: Assets can be automatically assessed and reported on for control adherence. |
| Configuration Management |
CM-2 through CM-8: Track configurations changes, group policy settings and assess system configurations against baselines. |
| Contingency Planning |
CP-4, CP-9, CP-10: System Center can help ensure contingency scenarios are transitioned successfully and configured as defined in plans. |
| Identification and Authentication |
IA-2 through IA-5: Track and report on authentication, communication and firewall configurations and changes. |
| Incident Response |
IR-3 through IR-6: Precanned alerting for security controls, response can include Alerts, emails, pages and remediation tasks. |
| Maintenance |
MA-3 through MA-6: Monitor maintenance periods and ensure systems return to normal state after any changes. |
| Media Protection |
MP-2, MP-4: Monitor media access and storage backups. |
| Physical and Environmental Protection |
PE-3, PE-14, PE-17: Physical and environmental controls can be monitored via System Center to watch for control breaches or risks to organization. |
| Planning |
PL-1, PL-4: Leverage audit reports to assist with planning and environment analysis. |
| Personnel Security |
PS-4 through PS-7: Monitor personnel account administration for new hires, termination and role changes. |
| Risk Assessment |
RA-2 through RA-5: Assess control risks and monitor environment on routine basis. |
| System and Services Acquisition |
SA-5, SA-6, SA-7, SA-10, SA-11: Monitor and assess new devices, software and configuration of systems integrated with environment. |
| System and Communications Protection |
SC-3, SC-4, SC-7, SC-10, SC-11, SC-15: Monitor and assess configuration of systems communication infrastructure. |
| System and Information Integrity |
SI-4, SI-5, SI-6, SI-7, S-12: Monitor, alert and report on system and software integrity controls. |
Learn More.....
|
News & Events
Press Release 07/08/08: Secure Vantage Technologies and Infront Consulting join forces to offer free training and education series for the Audit Collection Service
Press Release 05/21/2008: Secure Vantage Technologies partners to create a Security Management Partner Solutions bundle for System Center customers
Read more
|