The US Federal Information Security Management Act (FISMA) is now at the core of the US Government’s approach to the defense of its systems and information from a range of attacks and failure scenarios. A key element of this approach is the role of the National Institute of Standards and Technology (NIST) that produces a range of documents that specify the risk management and control requirements and approaches.
The standard, in its latest release, provides an approach to security and a catalogue of controls that support the mandatory FIPS Publication 200 (Minimum Security Requirements for Federal Information and Information Systems). Organizations define the security category of their systems using FIPS Publication 199 (Standards for Security Categorization of Federal Information and Information Systems) which results in an information system impact level that is used to apply the appropriately tailored set of security controls in NIST SP800-53. The oversight and continuous monitoring regime then follows the management approach in SP800-137.
As such, the controls in SP800-53 form the basis of the overarching information, IT and cyber security defense posture. It represents the primary source of control selection – akin to other management system and control based standards such as ISO27001 and PCI-DSS. Hence it is of vital importance in US Federal Government and Defense environments. Also within the Critical National Infrastructure (CNI) community, the associated standards and regulations refer back to the NIST publication.
Huntsman® further supports the requirement for security status, compliance and operational reporting as part of a Security Lifecycle. This is described and mandated in the Executive Memo M-12-20 and detailed in the associated NIST Security Lifecycle Approach (SP800-37).
We have developed a comprehensive set of Queries/Reports, Alerts and Dashboards to support a FISMA compliant security monitoring and incident management regime. The documents below show how Huntsman® forms the hub of a security ecosystem that enables the audit, alerting, monitoring, data retention, access and incident investigation controls, as well as the wider security environment where FISMA applies.