Learn how Tripwire can help you deploy a comprehensive configuration assessment and control solution that: a) reduces the time and resources required to verify compliance and prepare for audits; and b) maintains continuous compliance by allowing IT to immediately identify any exceptions and trigger remediation of configurations that do not conform to policy.
Automating FISMA
Compliance with Tripwire
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
Contents 3 Introduction 3 Challenges 4 Meeting FISMA Requirements 5 Ensuring Compliance with Tripwire Configuration Control Solutions 6 Evidence of Effectiveness
2 | WHITE PAPER | Automating FISMA Compliance with TripwireIntroduction
Since the enactment of the Federal Information Security concept of unambiguous personal accountability for agency Management Act (FISMA) in 2002, federal agencies have residual risk.been required to develop, document and implement agency-wide information security programs to protect the Challengesconfidentiality, integrity and availability of the data and systems that support government operations and assets. While NIST is the doorway to information on what is Foundations, educational institutions, and other organiza- required by FISMA, generating, collecting, understand-tions that have system connections with a federal agency, ing and reporting FISMA results each year remains tedious as well as private contractors worldwide and state, regional, and time-consuming-often requiring complicated, manual local or tribal agencies that store, process or transmit data processes. With no streamlined way to integrate all of the from a federal agency, must comply with FISMA as well. data coming in from various sources and solutions, agencies FISMA is codified in a number of standards and guidance use various methods to collect the required security data, documents produced by the National Institute of Standards including databases, spreadsheets and other documents. and Technology (NIST). Included among them are FIPS- Audit preparation time is equally time-consuming and 199, the Standards for Security Categorization of Federal expensive. Demonstrating FISMA compliance requires enor-Information and Information Systems. FIPS-199 defines the mous effort, budget and IT resources, all of which take away requirements to be used by federal agencies in categorizing from an agency's primary work. The Office of Budget and information and information systems in order to provide Management (OMB) reported agencies spent approximately appropriate levels of information security for a range of $5.5 billion in fiscal year 2006 to meet FISMA requirements. risk levels. The standard establishes three levels of protec- It is predicted that to maintain compliance with FISMA, tion requirements-low, moderate, and high-for each of agencies will require upwards of $27.9 billion between 2008 the security objectives of confidentiality, integrity, and and 2012. The challenge of setting appropriate priorities availability. and allocating scarce funds to compliance activities will Implemented in March 2006, FIPS-200, Minimum Security continue to be faced by department heads throughout the Requirements for Federal Information and Information federal government. Systems, took an important next step. FIPS-200 requires Unfortunately, so far, according to the 2007 Federal agencies to use the FIPS-199 standards for system catego- Computer Security Report Card, many agencies are still rization, and then select an appropriate set of security receiving failing grades. What's more, a passing grade is no controls from Special Publication (SP) 800-53, Recommended guarantee your agency's data is secure. FISMA can't mandate Security Controls for Federal Information Systems. This a secure IT system, Instead it intends to achieve that state document provides federal agencies with a foundation for by requiring adherence to a common process for assessing, understanding security controls and their use within an testing and managing IT security. In these early years of information security program. FISMA's adoption, what's really being graded is the quality NIST SP800-53 is designed to help federal agencies more of compliance efforts, which is only indirectly linked to the easily comply with FISMA by removing any debate over quality of security practices.which controls must be implemented and to what level of Meanwhile, software vulnerabilities increase every year. operational assurance. Together, the FISMA requirements According to IBM Internet Security Systems, software vul-and NIST technical guidance documents are emerging as a nerabilities increased 45.9% in 2004, 12.8% in 2005 and world-class framework for achieving and maintainin... [download for more]
