cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Federal Security Compliance: Challenges, Consequences, and a Solution

Level 12

Information security is important to every organization, but when it comes to government agencies, security can be considered the priority. A breach or loss of information held by federal agencies can lead to major consequences that can even affect the national and economic security of the nation.


The Defense Information Systems Agency (DISA) is a combat support agency that provides support to the Department of Defense (DoD), including some of its most critical programs. In turn, this means that DISA must have the utmost highest possible security for networks and systems under its control. To achieve this, DISA developed Security Technical Implementation Guides (STIGs), which is a methodology for secure configuration and maintenance of IT systems, including network devices.  The DISA STIGs have been used by the Department of Defense (DoD) for IT security for many years.

In 2002, Congress felt civilian agencies weren’t making IT security a priority, so to help civilian agencies secure their IT systems, Congress created the Federal Information Security Management Act (FISMA). This act requires that each agency implement information security safeguards, audit them, as well make an accounting to the President’s Office of Management and Budget (OMB), who in turn prepares an annual compliance report for Congress.

FISMA standards and guidelines are developed by the National Institute of Standards and Technology (NIST). Under FISMA, every federal civilian agency is required to adopt a set of processes and policies to aid in securing data and ensure compliance.

Challenges and Consequences:

Federal agencies face numerous challenges when trying to achieve or maintain FISMA and DISA STIG compliance. For example, routinely examining configurations from hundreds of network devices and ensuring that they are configured in compliance with controls can be daunting, especially to agencies with small IT teams managing large networks. Challenges also arise from user errors too, such as employees inadvertently exposing critical configurations, not changing defaults, and employees having more privileges than required. Non-compliance can also have fatal consequencesnot just sanctions, but there is the weakening or threat to national security, disruption of crucial services used by citizens, and significant economic losses. There are multiple examples of agencies where non-compliance has resulted in critical consequences. For example, a cyber-espionage group named APT1 had compromised more than 100 companies across the world and stolen valuable data related to organizations. Some of this information includes: business plans, agendas and minutes from meetings involving high-ranking officials, manufacturing procedures, e-mails as well as user-credentials and network architecture information.

Solution:

With all that said, NIST FISMA and DISA STIGs compliance for your network can be achieved through three simple steps.

1. Categorize Information Systems:

An inventory of all devices in the network should be created and then devices must be assessed to check whether they’re in compliance or not. You should also bring non-compliant devices to a complaint baseline configuration and document the policies applied.

2. Assess Policy Effectiveness:

Devices should continuously be monitored and tracked to ensure that security policies are followed and enforced at all times. Regular audits using configuration management tools should be used to assess policy violations. Further, using penetration testing can help evaluate the effectiveness of the policies enforced.

3. Remediate Risks and Violations:

After all security risks or policy violations are listed, apply a baseline configuration that meets recommended policies or close each open risk after it has been reviewed and approved. Once again, the use of a tool to automate review and approval can speed the process of remediation.

In addition to following these steps, using a tool for continuous monitoring of network devices for configuration changes and change management adds to security and helps achieve compliance.

If you are ready to start with your NIST FISMA or DISA STIG implementation and need an even deeper understanding on how to achieve compliance, as well as how to automate these processes with continuous monitoring, download the following SolarWinds white paper: “Compliance & Continuous Cybersecurity Monitoring.

But for those of you who would like to test a tool before deploying it into the production network, SolarWinds Network Configuration Manager is a configuration and change management tool that can integrate with GNS3, a network simulator. For integration information, refer to this integration guide here for details:

https://community.gns3.com/docs/DOC-1903

Happy monitoring!

12 Comments
Level 17

Awesome... I think this could be useful...

Level 15

Great information and something for the late night reading list.  But, I think after the breach of the 4 million federal employees personal information in the last few weeks, maybe its time to review how this IT security is being monitored. 

Level 11

It really shows how vulnerable information is in the digital age.  Remember Ronald Regan's quote about the 9 most terrifying words, I'm from the government and I'm here to help.  I have lost count how many people have told me they received a letter or email stating their personal information has been compromised by an organization, and here is your consolation prize of 1 year free credit reports.  Start monitoring your credit and report anything suspicious because if your identity is stolen you will have to prove your innocence.  All good information, but it is obvious online information is not ready for prime time when it comes to security.

Level 14

Many thanks for the info.  Awesome food for thought..

Level 14

NCM is a great tool and does a pretty good job with DISA STIG compliance.  It does require a lot of customization for your environment.  There is not a lot out there that actually does this kind of "audit". 

MVP
MVP

Good Stuff !

Level 9

Great.

Level 12

For one, agencies "should" follow the compliance polices that apply to them but on another note, there has to be a system in place to frequently review the effectiveness of existing policies. Are the policies adopted in 2002 still good enough to fight the security challenges of 2015?

Level 12

NCM's greatness over other tools is that you can customize it - when it comes to network config, there is no one size fits all but NCM has sizes to fit all.

Level 11

Great brief read! I wish that I had more time to read all the items here on http://thwack.solarwinds.com !

Working everyday to leverage NCM to work better for you.  I have even been asked to provide (develop) NCM DISA STIG support of various DoD commands and organizations.  The company I work for is providing me resources to support multiple activities.

Here is the front page for DISA STIGs with NCM.

Everything DISA STIGs for your Network

Level 14

Great write up.  Love the thought of using NCM to look at STIG V keys