FISMA: The Gold Standard for Security in Civilian, Military, and Intelligence Agencies
Established in 2002, the Federal Information Security Management Act (FISMA) was established to ensure a consistent and effective level computer and network security within the federal government. To that end, FISMA compliance requires federal agencies - and any associated entities handling federal data such as state and local governments, contractors and grantees - to implement an integrated, risk-based information security program as defined by the
National Institute of Standards and Technology (NIST) under the oversight of the Office of Management and Budget (OMB).
To guide agencies tasked with implementing FISMA, NIST established Special Publication (SP) 800-53 as the foundation of a comprehensive security program.
NIST 800-53 defines a broad range of risk-based security controls for access control, auditing, configuration management and much more. Perhaps the greatest challenge presented by FISMA compliance rests in the broad scope of this standard. For example, just one element required for FISMA compliance - NIST SP 800-53, "Security Control Selection" - contains 17 control families comprised of 170 individual controls. This broad framework spans the enterprise IT infrastructure, mandating the need to for monitoring and analysis of data generated by all systems, network appliances and security solutions across the enterprise. To be FISMA compliant, an enterprise must collect and process a many different types of information across the environment - traditional
log management and SIEM tools, limited in scope to primarily event data, do not have the deep visibility into system configuration and asset data, known vulnerabilities, performance metrics, and network flow data that is required to comprehensively audit against NIST 800-53.
eIQ's SecureVue
security, risk and audit management platform combines
security information and event management (SIEM) and
compliance automation to help organizations fully address FISMA through not only the NIST 800-53
standard, but technical configuration standards such as SCAP and DISA STIGs. SecureVue contains over 250 reports mapped to individual sections of the NIST 800-53 standard, and also contains a comprehensive compliance library - containing over 2,500 technical and functional controls - to enables organizations to define, monitor and measure FISMA compliance. The platform's wizard-based policy mapping also allows organizations to add and modify regulations and best practices to address a broad range of unique business drivers, including internal practices, service level agreements and business partner requirements.
By collecting, archiving, correlating, analyzing and reporting on log, vulnerability, configuration, asset, performance and network flow data, SecureVue merges the complex monitoring, testing and auditing demands of FISMA and other standards into a single solution. The automated end-to-end correlation of data - coupled with built-in analytics - makes evaluating FISMA compliance an easily manageable task.
Compliance for Everyone: Implementing a Security Framework Approach to Address Compliance Mandates