The Federal Information Security Management Act (FISMA) added the weight of Federal fines to cyber security compliance in government operations, and for good reason – when compared to the cyber security performance of 17 other major industries including transportation, retail, healthcare, and more, government organizations came in dead last with the lowest security scores.
The National Institute of Standards and Technology (NIST), which was originally formed over a century ago to provide scientific standards for weights and measures, now mandates standards for government information technology and is currently tasked with outlining the steps to FISMA compliance in a measurable way. They have laid these steps out in more than 1,000 pages of NIST Special Publications (SPs) and Federal Information Processing Standards (FIPS) publications, which together comprise FISMA.
In summary, FISMA requires development, documentation, and implementation of agency-wide InfoSec programs for every federal agency, including security of data provided to the agency by external agencies and contractors.
These kinds of massive overhauls are not a walk in the park; even the best-intentioned organizations can unknowingly let critical details slip through the cracks, resulting in massive financial penalties for accidental non-compliance.
All enterprise IT environments are different and the amount of systems and human resources needed to maintain FISMA compliance will vary by industry, organization size, structure, and a myriad of other influences.
Of course, this is partially what led to the extensive nature of these publications, leaving some of the most important morsels of information for your organization’s compliance buried among irrelevant details.
Mainframe Security FISMA Highlight: Continuous Monitoring.
Did you know your mainframe must also be included in your FISMA compliance initiatives?
If you answered no, you’re not alone. Many organizations have not realized this crucial detail, putting them at risk for non-compliance. If you answered yes, you’re ahead of the game. But what is your process for monitoring mainframe security events? And are you doing that in real time?
It is a common misunderstanding that only Windows/UNIX systems require real-time monitoring; however, NIST SP 800-137 defines Information Security Continuous Monitoring (ISCM) as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions,” which includes “visibility to all IT assets and the security of those assets,” as well as “Maintains awareness of threats and vulnerabilities.”
In short, you need to have the ability to monitor your entire network (not just the Windows/UNIX systems within it) to be FISMA compliant. This can be accomplished with a Security Information and Event Management (SIEM) system that provides a real-time events feed in your Security Operations Center (SOC).
So, Where to Begin?
You may be worried about where you’re going to find the time to thoroughly examine more than a thousand pages and extract the information you need to make your organization FISMA compliant.
We’ve done the heavy lifting for you and narrowed it down to the six SPs and FIPs documents that need to be topmost on your radar. This is not to say other SPs and FIPs should be ignored; this is the best place to start. You can read our simplified guide to FISMA compliance in this 12-page whitepaper as a fundamentally sound starting point of reference for your compliance journey.
Since 2008, CorreLog has been bridging the security and compliance gap between distributed (WIN/UNIX) and mainframe computing environments. Our industry-leading solutions deliver real-time z/OS security inclusion in WIN- and UNIX- based SIEM systems for complete, cross-platform IT security and compliance strategies.
For more information on FISMA compliance and/or CorreLog’s industry-leading security solutions, contact us here.
 SecurityScorecard 2016 U.S. Government Cybersecurity Report.