FISMA Compliance

If you are a government agency, government contractor or an organization that exchanges data with government systems, then you need to be FISMA compliant.

What is FISMA?

Federal government systems are entrusted with transmitting some of the nation’s most sensitive and critical information. The impact of a data breach or service disruption to a government system would not only threaten privacy for citizens, but could also have national security implications. As a result, the National Institute of Standards and Technology (NIST) has worked in conjunction with the Department of Homeland Security and the defense community to create a comprehensive set of security controls for all government information systems, including national security systems.

The Federal Information Security Management Act (FISMA) was created to govern the management of information security in the Federal government. FISMA acts as the umbrella legislation for several standards that collectively support the overall FISMA mandate. The way in which each individual standard fits into the Federal government’s security compliance ecosystem is illustrated by the FISMA Risk Management Framework (RMF). The standards provide guidance on specific operational, technical and management security controls that should be used to guide the implementation of hands-on security practices and configuration settings. Key security standards for FISMA are detailed in NIST Special Publication 800-53 (simply referred to as NIST SP 800-53), as well as the Federal Information Processing Standards (FIPS), specifically in FIPS 199 and FIPS 200. FISMA requires covered entities to integrate the guidance in all three of these standards, in addition to other related Office of Management and Budget (OMB) mandates.

The goal of FISMA is to ensure that Federal departments and agencies apply risk-based, cost-effective measures to enact adequate security measures to mitigate the risk of the unauthorized access, use, disclosure, disruption, modification, or destruction of information. Covered entities are required to apply specific security controls to all federal data and information systems to protect against data loss, service interruptions, or threats to national security. The OMB is responsible for reviewing FISMA audit documentation annually from each covered entity, and reporting its findings to the U.S. Congress. After the FISMA audit documentation is reviewed and approved by an accrediting official, the accreditation authorization may last up to 3 years, as long as no significant changes are made. However, as systems are modified, additional controls or processes may need to be implemented. As a result, each covered entity is responsible for conducting on-going monitoring in order to keep track of whether they need to be recertified against FISMA requirements.

Who needs to be FISMA compliant?

All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.

Penalties for non-compliance

Government agencies that do not meet FISMA compliance standards may be sanctioned by having their budgets cut. In the case of government subcontractors, they risk being terminated from existing contracts, and may become ineligible for bidding on future government contracts. For example, NIST and OMB guidance support the usage of Security Content Automation Protocol (SCAP) compliant tools as part of meeting FISMA requirements in an effort to accelerate the adoption of vulnerability assessment automation tools. The General Services Administration (GSA) revision to the Federal Acquisition Regulation (FAR), together with the provisions in the SmartBUY program, prohibit procurement officers from authorizing purchases of vulnerability scanners unless those scanners prove to be SCAP compliant. The OMB can sanction organizations that fail to adhere to these procurement constraints.

How Rapid7 Helps

Rapid7 has extensive experience partnering with federal departments and agencies, such as the U.S. Department of Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 NeXpose provides a full end-to-end security solution for government agencies and subcontractors to help them meet FISMA compliance using security control classes defined in FIPS 200 and described in detail in NIST SP 800-53 v3.

Rapid7 helps you comply with security controls RA-5 and CA-7 of NIST SP 800-53 v3 because:

• NeXpose is a certified SCAP-compliant vulnerability scanning tool. NeXpose supports interoperability and open standards among tools by using standardized enumerations for platforms, software flaws, and mis-configurations, which paves the way for standardized formatting, transparent checklists/benchmarks and sharable test procedures. NeXpose provides a standardized way of measuring vulnerability impact by using its native CVSS v2 algorithm for risk scoring. The use of SCAP standards together with the flexible NeXpose API allows NeXpose to communicate with your existing disaster recovery, event management, help desk, and asset management tools. (Security Control RA-5)
• NeXpose scans for vulnerabilities throughout your infrastructure to optimize your network security, Web application security and database security strategies, including within desktop applications and hosted applications. NeXpose then provides both executive summary and detailed remediation reports on vulnerabilities discovered. The Rapid7 Managed Services option provides both external vulnerability scanning and independent validation. (Security Control RA-5)
• NeXpose enables scanning on sensitive Industrial Control System (ICS) networks found in Federal government facilities, as well as in both Healthcare Services and Energy utilities, by using the pre-configured, out-of-the-box NeXpose SCADA Scan Template. Additional control enhancements suggested by NIST include utilizing independent assessors and penetration tests. The Rapid7 Penetration Testing Service will customize a penetration testing package for your needs. Rapid7 Consulting Services also offer full on-site security assessments to provide independent validation of your Red Team’s internal scanning results. (Security Control RA-5)
• NeXpose provides the capability for you to perform scheduled and ad-hoc testing of the effectiveness of your security program by enabling you to use on-going vulnerability scanning as part of an integrated security program. NeXpose generates remediation reports that include vulnerabilities uncovered during vulnerability scans, along with detailed remediation steps. Additional control enhancements suggested by NIST include utilizing independent assessors and penetration tests. The Rapid7 Penetration Testing Service will customize a penetration testing package for your needs. Rapid7 Consulting Services also offer full on-site security assessments to provide independent validation of your Red Team’s internal scanning results. (Security Control CA-7)

With Rapid7 NeXpose, our Professional Services staff can perform independent vulnerability scans, conduct penetration testing and produce the documentation required to comply with security controls CA-2, SC-7, PE-3, SA-11 and SA-12 of NIST SP 800-53 v3.

These services include:

• Providing penetration testing services, onsite security control assessments, and best practices consulting by providing the required assessment annually (at a minimum). Rapid7 Security Experts also perform Risk assessments, which FISMA defines as being synonymous with vulnerability assessments. (Security Control CA-2)
• Providing penetration testing services to test compliance with the new requirement to ensure that the information system fails securely in the event of an operational failure of a boundary protection device. Additional control enhancements suggested by NIST security control instructs system owners who manage boundary protection devices (e.g., router, firewall, guard, application gateway residing on a protected sub-network commonly referred to as a demilitarized zone) to ensure that a failure of a boundary protection device cannot lead to, or cause information external to the boundary protection device to enter the device, nor can a failure permit unauthorized information release. The Rapid7 Penetration Testing Service will customize a penetration testing package to test boundary conditions. (Security Control SC-7.18)
• Providing penetration testing services, onsite security control assessments, and best practices consulting in compliance with the security controls outlined in PE-3 ‘Physical Access Control’. Additional control enhancements suggested by NIST to increase the effectiveness of this security control include conducting penetration testing that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. The Rapid7 Penetration Testing Service can include Social Engineering penetration testing designed to test physical and human security conditions. (Security Control PE-3.6)
• Providing onsite security control assessments and best practices consulting with the option of Developer Security Best Practices training in order to facilitate the implementation of a verifiable flaw remediation process to correct weaknesses and deficiencies in the software development lifecycle (SDLC) that were identified during the security testing and evaluation process. Additional control enhancements suggested by NIST to increase the effectiveness of this security control include having system developers/integrators perform a vulnerability analysis to document vulnerabilities, exploitation potential, and risk mitigations. The Rapid7 Penetration Testing Service will customize a Security Best Practices, Web Application Assessment, and Training package for your needs. (Security Control SA-11.2)
• Providing penetration testing services in compliance with the security controls outlined in SA-12 ‘Supply Chain Protection’ by conducting independent analysis and penetration testing against delivered information systems, information system components, and information technology products to ensure measures are in place to protect against supply chain threats. (Security Control SA-12)

To learn more about how Rapid7 can help you to meet the key standards and security controls to comply with FISMA requirements, refer to the Rapid7 FISMA Compliance Guide.

Implement cost-effective security tools and best practices to protect critical government infrastructures from data breaches. Contact us to find out how Rapid7 can help you implement risk-based security controls for FISMA compliance.