For federal managers of information technology, FISMA compliance is one of the most challenging pieces of federal legislation to be enacted in recent years. On the one hand, FISMA compliance imposes strong requirements to rapidly improve the security of government information, and it holds agencies fully accountable for their success in meeting this goal. On the other hand, for managers who can meet those requirements, there are new opportunities to refocus resources within security programs and to obtain tools to manage them adequately. As discussed in this White Paper, QualysGuard can help agencies meet FISMA requirements, reduce the cost of compliance, and use industry best practices to meet FISMA challenges head-on.
FISMA Compliance Defined
Formally titled "The Federal Information Security Management Act of 2002", FISMA is part of the E-Government Act of the same year. FISMA's provisions fall into three major categories: assessment, enforcement, and compliance. The first pertains to determining the adequacy of the security of federal assets, the second requires that key information security provisions be implemented and managed, and the third establishes provisions for the management of each agency's information security program a nd the accountability of each agency for compliance and reporting.
QualysGuard Supports FISMA Compliance
To be successful in meeting FISMA compliance, federal agencies need automated tools to help them manage their security programs, perform continuous system assessments, support accurate reporting on compliance activities, and enable measurements of how well they are meeting all of FISMA's provisions. QualysGuard is the ideal tool for this purpose.
Requiring no software to install or maintain, QualysGuard automates security audits, providing strong protection against the myriad of threats to federal agency technology. This paper describes key provisions of FISMA compliance and shows how QualysGuard supports compliance by enabling federal IT managers to collect, manage, and report on accurate information about their enterprise security posture.
Mitigation and Tracking
Given FISMA's focus on measurement, enforcement and compliance, it is critical for agency managers to be able to track significant deficiencies and the remediation actions taken to correct them. With QualysGuard, system administrators can filter reports to show specific vulnerabilities and their recommended corrective measures. Trouble tickets can be assigned to appropriate personnel to enforce remediation requirements, and to ensure that enforcement is handled consistently across the agency. QualysGuard reports demonstrate the exact status of all mitigation activity. Items that have been corrected can be highlighted; vulnerabilities that are still active can be referred for follow-up activity.
QUALYSGUARD MEASURES COMPLIANCE WITH FISMA
FISMA compliance introduces significant new requirements for regular reporting of information security program progress and results. With QualysGuard, FISMA compliance and reporting information is readily available at a moment's notice, including reports on the status of Certification and Accreditation tasks, ongoing monitoring of application systems, and updates on the status of the Plan of Action and Milestones activities.
Management and technical reports can be produced to show any view of the enterprise, at any level of detail. Management can focus on particular vulnerabilities to quickly correct "hot" issues, such as exposures to the SANS Top 20 list of vulnerabilities. Trending information shows the history of the security program over time, including key changes to the level of threats and vulnerabilities.
Strategic Planning
FISMA compliance provides for the full integration of information security management processes with strategic and operational planning. To ensure that each agency complies with FISMA's provisions, the Act requires that the success of the security program be highlighted in agency performance and financial planning reports.
QualysGuard reports can help with the integration process. High-level reports showing overall status of security and asset management can be included in Exhibits 53 and 300B input to capital planning process. Improvements to security can be measured and used to support program management and operational planning activity.
Training For FISMA Compliance
Agencies must have policies and procedures that support FISMA compliance and training for key ISS personnel. QualysGuard scan output and reports can show where policies and procedures need to be strengthened by highlighting trends where response was inadequate or where issues arose during remediation activity. Agency management can use these reports to assess staff response to vulnerabilities and determine requirements for additional training. Finally, QualysGuard contains many built-in training features, such as those that link to web sites with further information about risks and vulnerabilities, and how to correct security issues in regards to FISMA compliance.
