Certifications & VPATS
Educational & Technical Resources
What are FISMA Compliance Requirements?
Every Federal agency—Civilian, Defense, or otherwise—has security compliance requirements that must be met on an annual or ongoing basis.
For civilian agencies, the Federal Information Systems Management Act (FISMA) defines those requirements.
FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”). No agency is exempt. As a result, security compliance is often an integral part of every Federal IT pro’s decision-making process.
FISMA compliance defines a vast and detailed set of security requirements. That said, there are a handful of high-level requirements that can be summarized as follows:
- Maintain an inventory of IT systems. Every federal agency must keep an inventory of information systems that the agency controls or operates, as well as an inventory of the interdependencies between those systems and interdependencies between internal systems and systems outside agency control. This includes systems within an agency’s encrypted cloud.
- Categorize data and systems according to risk level. All agency data and IT systems must be categorized according to risk—low, moderate, or high. A low-impact system is generally informational and does not contain sensitive information that requires safeguarding. A moderate-impact system may contain such information and will require a greater degree of safeguarding. A high-impact system contains information where it has been determined that a loss or compromise of such information would present a grave risk to the U.S. government. An agency’s encrypted cloud environment must be categorized as well. The National Institute for Standards and Technology (NIST) provides guidelines in its NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories.”
- Maintain a system security plan. All agencies must develop and maintain a plan—officially known as a System Security Plan, or SSP—that defined how the agency will implement security controls. The SSP must be updated regularly and include a Plan of Action and Milestones (POA&M).
- Utilize security controls. NIST defines minimum federal security requirements in the FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems” document. Agencies first select the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems,” based on mission requirements. Agencies then document those security controls in the SSP and apply accordingly.
- Conduct risk assessments. Every agency must validate the successful implementation of its security controls through risk assessments. During this risk assessment, agencies also determine if additional controls are necessary to provide extra protection for any information or IT systems.
- Certification and accreditation. After documentation and risk assessment are complete, agencies must then certify that security controls function properly. Once this certification is complete, the information system is “accredited.” The certification and accreditation process is defined in NIST SP 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.”
- Conduct continuous monitoring. Agencies must monitor systems to detect abnormalities, and perform security impact analyses, ongoing assessment of security controls, status reporting, etc.
Maintaining Compliance
Remember, these are the most basic, high-level FISMA compliance requirements. There are literally hundreds of additional security controls that cover everything from small technical details, such as the versions of permissible encryption for data in transit (also known as Transport Layer Security), to program-wide decisions that can impact funding, hiring/personnel security, disaster recovery plans, data protection mechanisms, privacy, and more. Even a low-impact system may have over 100 controls, and each of these may break out into individual enhancements (think subsidiary controls).
With all these controls, how does an agency maintain FISMA compliance? The most efficient way is to consider the force-amplifying effects of automation.
Consider a tool, or set of tools, that can provide the following capabilities to help significantly ease the time required for compliance efforts and automatically:
- Discover network devices and get an inventory of systems and software installed on your network
- Validate that devices have been correctly configured from a security standpoint
- Validate that system and security patches have been applied across your systems
- Monitor system logs to help identify threats or malicious behavior
- Block or quarantine malicious and suspicious activity
- Monitor the system’s performance to catch failures as they begin to occur, and not after the failure leads to downtime
SolarWinds offers Security Event Manager to help meet these automation needs.
SolarWinds® Security Event Manager (SEM) is a security information and event management (SIEM) tool that is designed to automate a broad range of tools to help federal IT pros more easily use event logs for security, compliance, and troubleshooting. Get more information from our Compliance Guide for Federal Security and IT Pros white paper.
For more information on the NIST Risk Management Framework, as well as a range of additional federal security compliance information—including how to automate compliance using SolarWinds Network Configuration Manager (NCM)—download the Daily Federal Compliance and Continuous Cybersecurity Monitoring white paper.
Finally, let’s remember that FISMA compliance requirements apply to civilian agencies. Defense agencies have additional requirements, such as DISA STIG compliance; and, the NIST Risk Management Framework (RMF) guides all agencies.