As a part of an effort to help untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance and support for the Risk Management Framework (RMF). In this post, I’ll outline what FISMA compliance is, we’ll walk through FISMA bit-by-bit, and we’ll talk about where SolarWinds® products can help.
What it means to take on “FISMA Compliance,” is described in several NIST (National Institute of Standards and Technology) publications. The amount of NIST publications out there are impressive, but there are only a few we’re interested in. A couple of these are FIPS (Federal Information Processing Standard) publications—usually when we think of FIPS we think of encryption, but here we’re mostly focused on risk analysis.
Here’s a great summary, though wordy, of how it all fits together:
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations follow the Risk Management Framework to determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
Okay, okay, how about the super simple version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!
We’ll leave the whole exercise of assigning risk up to you, since it’ll be different for each environment. Once you’ve done that, as you walk through the 800-53 requirements, you’ll see different controls needing to be applied at different levels. Generally, you’ll have to comply with the “document” and “policy” controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.
NIST 800-53 and the RMF (revision 2) provide a great breakdown of the steps needing to be applied. Of interest to us when it comes to where SolarWinds products can help are:
I’ll walk through each control and identify relevant products for each category as I go, so you don’t have to memorize them all just yet.
Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 and Step 6), here is out-of-the-box content designed to help in SEM, ARM and NCM:
There are hundreds of out-of-the-box reports, many of which are categorized for FISMA specifically. These reports help address the Assess/Monitor by looking for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the SEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.
In addition, SEM includes dozens of correlation rules categorized for different compliance initiatives. From the SEM Console, navigate to Rules, and Create Rule from Template. I’d recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.
All changes made with ARM are automatically recorded in the log book. This ensures compliance with legal and best-practice standards and saves the time of manual documentation. The log book report allows you to capture events by person or event type within any desired time period. This ensures fully transparent processes and documentation.
In addition, ARM allows reporting by resource or user for all resources.
There are several templates included to help (starting with NCM 7.4— DISA STIG and NIST FISMA Reports Now Shipping with NCM!—earlier versions can download from the Content Exchange😞
In the NCM web console, under CONFIGS, then Compliance, you should see them listed under the NIST category.
You might want to get a cup of coffee (or tea) while you read through this, as there’s a lot here. The entirety of Appendix F of 800-53 describes the controls and implementing them in detail. I’m going to skip over many of them since they don’t apply to implementing SolarWinds products, but I’ll include a description for each and more details where they’re especially relevant. Got your warm beverage? Let’s get going.
Double whew! I bet your hot beverage cup is empty at this point, perhaps I should’ve warned you to use a large one.
Hopefully at this point we’ve given you more info on how we can help you get moving with FISMA compliance. If you have any questions, feel free to post them and we’ll update the post as things change or more details are necessary.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.