FISMA Compliance – What’s the big deal anyway?

The article below is a guest post by our US partner Information Systems Laboratories). ISL offers a wide range of services to help companies implement or improve a corporate cyber/information security program, including independent IT security evaluations, threat and vulnerability analysis and incident response plans.
ISL has entered a partnership with IS Decisions, as they recognize UserLock and FileAudit as efficient software solutions to implement FISMA/NIST compliance for 3 key NIST 800-53 control families:

• Access Control (AC)
• Identification and Authentication (IA)
• System and Information Integrity (SI)

UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Windows systems.

Hope you enjoy the article and I look forward to your comments,
François AMIGORENA
President & CEO

In the United States, FISMA Compliance is a matter of national security. To elevate its importance, all federal agencies are given an annual – and very publicly available – grade based on the effectiveness of their IT security programs. As a further incentive, if after failing a compliance assessment, in addition to the publication of your failing grade, your CIO may be greeted with a congressional hearing. If that is not enough, after the hearing, the Office of Management and Budget (OMB) may just cancel or delay funding of your government programs - none of which would be considered welcome news nor career-enabling.

Whether you work for a corporation or government agency, the importance of ensuring your data is safe goes without saying. In fact, the larger your corporation, the government places more importance on your data, thus moving you closer to the same requirements government agencies have.

What is FISMA?

The Federal Information Security Management Act (FISMA) was devised to assist agencies and departments of the federal government in securing their data. Chief Information Officers (CIOs), Inspectors General (IGs) and officials of government programs are required to conduct annual reviews of their information security program and report their findings to the Office of Management and Budget (OMB). The OMB then reports to Congress on each agency’s compliance. The annual report also must include an independent cyber security evaluation

What is NIST?

As an agency of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) has developed a set of controls and guidelines supporting FISMA which Federal agencies and organizations supporting them must follow.

NIST 800-53 Control Families

The 18 control families and their 205 respective controls covered by NIST 800-53 encompass everything from physical security to information systems security to spam prevention and has been designed to work for any organization - as long as the controls are selectively chosen and implemented. For the cyber security novice, though secure, implementing all the controls to their fullest extent would not only be prohibitively expensive but would severely cripple the organization’s ability to function efficiently which is in direct conflict to the purpose of these controls. The intent is to take a calculated risk-based approach to security by implementing just the right amount of controls. Doing so not only saves money, but also helps to improve your organization’s operational efficiencies. Maximizing these benefits is where the assistance of trained Cyber Security professionals is critical. The best Cyber Security Evaluation companies are those who take the necessary time to learn your environment and processes to ensure the optimum controls are selected and adhered to.

NIST 800-53 Control Family Summaries

Below are some of the points contained within each of the control families. For a complete view into each control, we recommend ISL’s Cyber Security Search Engine.

Access Control (AC)

Control: 22 | Class: Technical

The 22 controls making up this family provides security guidance with a focus on access control-based policies and procedures, remote access, access control lists (ACL), etc. helping to ensure access to physical and computer-based information systems are restricted to authorized individuals only.

Access Control: a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

Awareness and Training (AT)

Control: 5 | Class: Operational

The intention of these 5 controls is to ensure a Security Awareness and Training policy is established along with its respective procedures and sufficient security awareness training programs are employed.

Awareness: Activities which seek to focus an individuals attention on an (information security) issue or set of issues.
Training: strives to produce relevant and needed (information) security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individuals attention on an issue or set of issues.

Audit and Accountability (AU)

Control: 14 | Class: Technical

The purpose of this set of 14 controls is to have the organization identify, audit, track and report on particular events that could be a security risk.

Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Security Assessment and Authorization (CA)

Control: 7 | Class: Management

This set of 7 controls ensures the organization has a Security Assessment Plan which specifies the included controls and enhancements, their procedures and the selection of an independent assessment team to conduct an impartial assessment. In the event the assessment is conducted by an internal team (because the company is small for instance), the results of the assessment are to be reviewed and analyzed by an independent team of experts such as by ISL’s Cyber Security Evaluation team (Information Systems Laboratories).

Configuration Management (CM)

Control: 9 | Class: Operational

The intent of these 9 controls is to ensure the organization has a Configuration Management policy and formalized procedures in place to establish baseline configurations, change control, security impact analyses, component inventory, etc. to help ensure changes to systems are tracked since even minor changes can have severe security implications.

Configuration management is unique identification, controlled storage, change control, and status reporting of selected intermediate work products, product components, and products during the life of a system.

Contingency Planning (CP)

Control: 10 | Class: Operational

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised.

Identification and Authentication (IA)

Control: 8 | Class: Technical

Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.
Authentication: A process that establishes the origin of information or determines an entity’s identity.

Incident Response (IR)

Control: 8 | Class: Operational

The 8 controls contained within this family guide the organization in the creation of a incident response policy and procedures to assist the proper response to an incident that may jeopardize the organization’s information system.

Maintenance (MA)

Control: 6 | Class: Operational

The intent of these 6 controls is to have the organization develop a System Maintenance Policy and supporting procedures to ensure the organization schedules, documents and reviews all maintenance and repairs of systems; uses approved maintenance tools; employing strong identification and authentication for remote maintenance, etc. In other words, these are operations required to keep hardware, software, data, etc. in good working order.

Media Protection (MP)

Control: 6 | Class: Operational

The 6 controls within the Media Protection family is to ensure the organization creates a Media Protection policy and supporting procedures to ensure proper steps are taken to protect data and prevent unintentional access and loss.

Physical and Environmental Protection (PE)

Control: 19 | Class: Operational

The 19 controls within this family help to enforce measures to protect information systems from unauthorized physical access.

Planning (PL)

Control: 6 | Class: Management

This family of 6 controls encourages the development of a System Security Plan, online rules of behavior for employees along with a security planning policy and procedures.

Personnel Security (PS)

Control: 8 | Class: Operational

The intent of the Personnel Security control family is to provide guidance in the hiring, security management and termination of employees.

Risk Assessment (RA)

Control: 5 | Class: Management

The Risk Assessment control family directs the organization in the creation of a Risk Assessment Policy and resulting procedures in order to assess the potential and magnitude of harm in the event of unauthorized access of information systems. In addition to the understanding of the potential risks, software and hardware solutions are implemented to help mitigate risk by identifying and addressing vulnerabilities.

System and Services Acquisition (SA)

Control: 14 | Class: Management

The System and Services Acquisition control family exists to ensure the budgetary means to support the ongoing security needs of the organization are established; systems are properly documented; software licensing is documented and enforced; peer-to-peer file sharing is not used to share unauthorized data or copyrighted material, etc.

System and Communications Protection (SC)

Control: 34 | Class: Technical

The System and Communications Protection control family consists of 34 controls. However, this is a little misleading as 11 of the controls have been withdrawn leaving 23 active controls. The breadth of this control family covers topics such as the physical and/or logical separation of system management interfaces from user functionality; security from non-security functions of the system; the prevention of unauthorized transfer of information from a commonly shared resource such as system memory; the protection of systems from Denial of Service attacks (DoS attacks); even the priority of system resources is called into question to ensure low priority services don’t negatively impact those of a higher priority.

System and Information Integrity (SI)

Control: 13 | Class: Operational

Some of the purposes behind the 12 controls within the System and Information Integrity control family are to identify, report and correct flaws in code including proper error handling; protection from malicious code such as viruses, Trojans, and spyware; monitoring of systems; the reception and reaction to internal and external security alerts; detection of unauthorized changes to data and software; protection from spam and predicting and preventing the failure of systems.

Program Management (PM)

Control: 11 | Class: Management

The 13 controls within the Program Management family directs the organization to develop an Information Security Program Plan, a process to ensure Plans of Action and Milestones (POA&M) are properly worked, etc.. Appointing a Senior Information Security Officer (SISO) or if your organization is a federal agency, a Senior Agency Information Security Officer (SAISO) are among some of the other directives to ensure the information security program is established and in working order.

Though this overview vastly simplifies the complexities and nuances of cyber security, we hope you have found this helpful. Should you have questions or would like to explore how your organization measures up to these and other controls, let us recommend our partner, Information Systems Laboratories (ISL).

Contact them if you are interested in receiving an Independent Cyber Security Evaluation.

You can also download free trial versions of UserLock and FileAudit from our website.