FISMA

Federal Requirements

The Federal Information Security Management Act (FISMA) was enacted in 2002, and requires all federal agencies “to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.”  In support of FISMA compliance, the National Institute of Standards and Technology (NIST) has developed a framework, including a set of Federal Information Processing Standards (FIPS), that government agencies are required to use in order to achieve compliance.  Additionally, many non-governmental and commercial organizations have also willingly adopted FISMA, in order to achieve the high level of assurance for information security that compliance provides.

Comprehensive Assessment

A complete Security Assessment and Authorization (SA&A) effort in support of FISMA compliance includes several core deliverables,  any of which can prove very challenging for a large organization:

• Information System Inventory.  System boundaries must be identified, and individual systems (and their owners and interfaces) must be ascertained.
• Risk Categorization.  Systems must be categorized based on an impact of a loss of confidentiality, integrity, or availability, using the guidance provided in FIPS 199 and NIST SP 800-60.
• Security Controls.  Based on the system’s risk categorization, a set of security controls must be evaluated, based on the guidance provided in FIPS 200 and NIST Special Publication 800-53.
• Risk Assessment.  Based on the output of the required security control assessment, system risks are assessed by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls.  All risks must ultimately be accepted or mitigated.
• System Security Plan.  Using the guidance provided in NIST SP-800-18, a system security plan must be developed.  This is a living document, which includes plans of actions and milestones (POA&Ms) for any assessed risks.
• Certification and Accreditation.  Once all required artifacts have been created, the system may be accredited based on the guidance provided in NIST SP 800-37 — whereupon a system is approved for operation in a production environment.
• Continuous Monitoring.  All accredited systems must ultimately be monitored, to ensure ongoing compliance with identified security controls and baselines.

Complex Challenges

The Aerstone team specializes and excels at finding the best way forward on complex systems that require detailed understanding of business processes, complicated or contradictory system boundaries, complex technologies, and other unusual challenges. While many FISMA compliance assessment service vendors simply follow a basic routine and process, Aerstone looks to find ways to improve the process on every engagement, starting with a focus on defining the scope of the assessment, and working with the client to plan the SA&A project in a comprehensive and efficient manner. Although Aerstone’s services include the entire spectrum of SA&A activities, some specialties set us apart — including:

• FIPS 199 & FIPS 200 determinations
• Advanced threat modeling
• Enumeration of threat vectors and actors
• Security requirements sourcing & analysis
• Security architecture and design reviews
• Application security code reviews
• Security testing
• Penetration testing
• Vulnerability assessments