FISMA Prescriptive Guide

FFIISSMMAA::
AACCHHIIEEVVIINNGG AANNDD MMAAIINNTTAAIINNIINNGG
CCOOMMPPLLIIAANNCCEE TTOO EENNSSUURREE
SSEECCUURRIITTYY OOFF SSYYSSTTEEMMSS AANNDD DDAATTAA
The Leader inConfiguration Audit & ControlPRESCRIPTIVE GUIDE: FISMA
TABLE OF CONTENTS
About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Why FISMA Matters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Pressures of Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Annual FISMA Report Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Automating FISMA Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Tripwire and NIST Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
FISMA / Tripwire Federal Case Studies #1 CIO perspective. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 #2 Agency Information Systems Owner perspective. . . . . . . . . . 7 #3 Authorizing Official perspective. . . . . . . . . . . . . . . . . . . . . . . . 9
Benefits of Tripwire for Continuous FISMA Compliance. . . . . . . . 10
Next Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Tripwire software has been recommended, endorsed and/or certified by these agencies.
©2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.PRESCRIPTIVE GUIDE: FISMA
About this GuideTripwire has long been an important tool for federal agency IT departments, offering an iron-clad defense, or foundation for a layered compliance and security strategy.
This guide is intended to show how Tripwire® Enterprise can continue to help federal agencies, as well as the organizations that store, process or transmit federal information, and the contractors that do business with the federal government, by providing an automated method for meeting many of the most critical regulatory IT security standards of FISMA compliance.
This guide contains case studies from three fictional federal agencies, each capturing the perspective of a key stakeholder in the FISMA compliance process. The case studies highlight how a CIO, Information Systems Owner and Authorizing Officer approach and manage the internal issues of demonstrating FISMA compliance, and how they meet many of those challenges with Tripwire configuration audit and control solutions.
Why FISMA MattersIn 2002, Congress passed and the President signed the E-Government Act, within which is Title III, the Federal Information Security Management Act (FISMA). This law requires federal agencies-and the foun-dations, educational institutions, and organizations that receive federal funds, as well as the contractors that do business with them-to develop, document, and implement information security programs to protect the confidentiality, integrity and availability of the data and systems that support agency operations, assets and mission.
In meeting compliance, agencies face a dual responsibility. First, is to meet the specific requirements estab-lished by NIST in support of the FISMA requirements; and second, is to be able to provide a risk-appropriate level of assurance that critical information security controls are operationally effective and producing the intended outcomes. In addition, agency officials are concerned that change management and configuration control are handled in a consistent and enforced manner to reduce vulnerabilities. According to the 2005 White House Office of Management and Budget (OMB) Annual Report to Congress on Implementation of FISMA, uneven implementation of security measures across the federal government leaves many weak-nesses that must be corrected.
Above all, FISMA matters because in becoming compliant, agencies also become more efficient in their operations, and most importantly, more secure.
Page 2PRESCRIPTIVE GUIDE: FISMA
Pressures of ComplianceSpecifically, federal agencies are required to develop an agency-wide security program, and to implement and adhere to security configuration standards developed by the National Institute of Standards and Technology (NIST). Agencies... [download for more]