FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”). No agency is exempt. As a result, security compliance is often an integral part of every Federal IT pro’s decision-making process.
FISMA compliance defines a vast and detailed set of security requirements. That said, there are a handful of high-level requirements that can be summarized as follows:
Remember, these are the most basic, high-level FISMA compliance requirements. There are literally hundreds of additional security controls that cover everything from small technical details, such as the versions of permissible encryption for data in transit (also known as Transport Layer Security), to program-wide decisions that can impact funding, hiring/personnel security, disaster recovery plans, data protection mechanisms, privacy, and more. Even a low-impact system may have over 100 controls, and each of these may break out into individual enhancements (think subsidiary controls).
With all these controls, how does an agency maintain FISMA compliance? The most efficient way is to consider the force-amplifying effects of automation.
Consider a tool, or set of tools, that can provide the following capabilities to help significantly ease the time required for compliance efforts and automatically:
SolarWinds® Security Event Manager (LEM) is a security information and event management (SIEM) tool that is designed to automate a broad range of tools to help federal IT pros more easily use event logs for security, compliance, and troubleshooting. Get more information from our Compliance Guide for Federal Security and IT Pros white paper.
For more information on the NIST Risk Management Framework, as well as a range of additional federal security compliance information—including how to automate compliance using SolarWinds Network Configuration Manager (NCM)—download the Daily Federal Compliance and Continuous Cybersecurity Monitoring white paper.
Finally, let’s remember that FISMA compliance requirements apply to civilian agencies. Defense agencies have additional requirements, such as DISA STIG compliance; and, the NIST Risk Management Framework (RMF) guides all agencies.