Security Information & Event Management Blog | SIEM

Making Sense of FISMA for Federal Agencies and Contractors

/ in mainframe security, InfoSec, FISMA, NIST, FIPS / by Tony Perri

Thirty-five major government data breaches occurred between April 2015 and April 2016, according to SecurityScorecard’s 2016 U.S. Government Cybersecurity Report. While some appear to have affected municipal or state networks, at least 10 breaches involved federal organizations such as the IRS, Army, State Department, NASA, and other entities digitally connecting the United States and its citizens.

These are startling numbers for a mere 12-month period, and if the U.S. Government Accountability Office’s (GAO) report on the dramatic upward trend in cyber-attacks on the U.S. Government continues (up 1,300% since 2006), federal agencies and contractors will need to make a critical assessment of the data security policies and infrastructures they have in place.

statistics FISMA blog for government contractors

In response to this proliferation of cyber-attacks, the GAO has identified three areas in which organizations must take action to reduce risk to highly sensitive U.S. Government intellectual property:

  • “Effectively implement risk-based information security programs.”
  • “Improve capabilities for detecting, responding to, and mitigating cyber incidents.”
  • “Expand cyber workforce and training efforts.”[i]

 This is the broad analysis (full report from the GAO available here), but the takeaway is clear: government organizations are behind the curve in terms of IT security, infrastructure, and human resources in a cyber environment of ever-increasing risk – and this most recent election cycle was bitter icing on an already sour cake.

FISMA – An Introduction to the Essentials

Passed in 2002 and updated in 2014, the Federal InformationSecurity Management Act or Federal Information Security Modernization Act (FISMA) sets the IT security bar high for government agencies, contractors, certain educational institutions, and others to mitigate risk to U.S. Government data. The National Institute of Standards and Technology (NIST) is the body tasked with outlining the steps to FISMA compliance in a measurable way, and has produced thousands of pages of Standard Reference Materials (SRMs) for that purpose.

Those SRMs include NIST Special Publications (SPs) and Federal Information Processing Standard (FIPS) Publications, and for your convenience, we have identified the five that should be on your radar if you’re a CISO or InfoSec Manager in a FISMA-covered organization:

  • NIST FIPS Publication 200 (17 pages)- Minimum Security Requirements for Federal Information and Information Systems
  • NIST SP 800-37 (94 pages)- Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  • NIST SP 800-39 (88 pages)- Managing Information Security Risk Organization, Mission, and Information System View
  • NIST SP 800-53 (462 pages)- Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-137 (80 pages) - Information Security Continuous Monitoring for Federal Information Systems and Organizations

The above SRMs themselves number more than 750 pages, and implementing their policies and procedures across your organization’s complex IT landscape is no simple task. To add to the complexity, many organizations do not realize that the mainframe must also be included in their FISMA compliance initiatives.

To help you avoid this common pitfall and the fiscal penalties that may accompany it, CorreLog put together a clarifying Executive Summary on FISMA compliance in order to point your organization in the right direction for FISMA compliance with the inclusion of your z Systems platform.

Click Here to Download Our FISMA Executive Summary

Full Whitepaper: FISMA Compliance on z/OS

For a deeper dive, CorreLog published an industry whitepaper titled “FISMA Compliance on IBM® z/OS with CorreLog Mainframe Security Solutions” to outline the most applicable and foundational SRMs in finer detail. Although each IT landscape differs greatly from the next, following the distilled guidelines in this whitepaper will be a sound launch pad towards accomplishing and maintaining FISMA compliance in your organization’s IT security policies, procedures, and network infrastructure.

Whitepaper at a glance:

  • The origins of FISMA and how NIST came to be
  • How NIST Special Publications and FIPS Publications assist with FISMA compliance
  • How CorreLog’s mainframe SIEM tools can consolidate and simply your organization’s FISMA compliance initiatives

Download CorreLog’s  FISMA Whitepaper

Since 2008, CorreLog has been bridging the security and compliance gap between distributed (WIN/UNIX) and mainframe computing environments. Our industry-leading solutions deliver real-time z/OS security inclusion in WIN- and UNIX- based SIEM systems for complete, cross-platform IT security and compliance strategies.

For more information on FISMA compliance and/or CorreLog’s industry-leading security solutions, contact us here.

Want to See Phil ‘Soldier of Fortran’ Pen Test z/OS Live?

CorreLog sponsored a mouth-watering IBM Systems Magazine webinar on July 24, titled “Pen Testing to Reveal the Truth about Mainframe Security,” featuring live mainframe penetration tests from Phil “Soldier of Fortran” Young. To watch the video on-demand, click here.


[i] U.S. Government Accountability Office, “Federal Information Security: Actions Needed to Address Challenges,” September 9, 2016. Link

0 replies