Signed into United States law as title III of the E-Government Act of 2002, the Federal Information Security Act (FISMA) is designed to improve and secure the management of electronic government services and technology. FISMA was further amended in 2014 with the adoption of the Federal Information Modernization Act of 2014 (FISMA 2014), which updated the Federal Government’s cybersecurity practices and to address evolving security concerns.
FISMA provides a framework for managing governmental information security for all information and information systems used by Federal Government agencies or by private sector entities operating information systems on behalf of the Federal Government. FISMA includes implementation, management, and reporting requirements to protect the government’s information technology infrastructure. Covered organizations must implement FISMA requirements and report annually to the Office of Management and Budget.
The National Institute of Standards and Technology (NIST) is responsible for developing the standards, guidelines, and methods for insuring information security for governmental agencies. Under its Risk Management Framework, NIST specifies the following activities that lead to more secure systems and compliance with FISMA.
- Categorization – Categorizing the information to be processed, stored, and transmitted based on an impact analysis.
- Select – Selecting minimum baseline security controls and updating the baseline as needed, based on each organization’s risk assessment and local conditions.
- Implement – Implement the controls and document how they are deployed within the environment and its associated systems.
- Assess – Assessing whether the controls are deployed and operating correctly, producing the desired outcomes, according to the security requirements.
- Authorize – Authorize the information for processing, with respect to the risk to organizational operations and informational assets, other organizations, and the Nation.
- Monitor – Monitor the security controls on an on-going basis for effectiveness, document changes, conduct security analysis of changes, and report the security state of the system.
IBM i and FISMA
Some of the most important ways that IBM i systems can become FISMA compliant is through IBM i Risk Assessment and Auditing; Security Controls Implementation; and Authorization Control solutions. Commercially available IBM i tools and services (shown below) can provide the information you need to determine your FISMA compliance strategy, using the activities listed in the NIST Risk Management Framework.
Risk Assessment and Auditing Solutions
Security assessments, such as SEA’s no-cost iSecurity Assessment, can test potential security vulnerabilities and provide detailed reports showing where your areas of concern are (NIST Assess activities).
Audit and compliance reporting products, such as iSecurity Audit, perform the following NIST Monitoring and Assess activities to make your system more secure:
- Monitor your system in real-time, taking automatic action (such as running scripts or alerting key personnel) when security threats occur.
- Automatically scheduling auditing reports and delivering them to key security administrators, auditors, or senior management.
Security Controls Implementation Solutions
Firewall products, such as iSecurity Firewall, monitor all TCP/IP activity and provide a complete IBM i intrusion protection system, complete with alerting and automated response capabilities (NIST Implement activities)
Antivirus products, such as iSecurity Antivirus, can protect your IBM i Integrated File System (IFS) from threats by continuously scanning and deleting viruses, Trojan horses, and malicious code (NIST Implement activities).
Authorize Control Solutions
IBM i authorization products, such as iSecurity Authority on Demand, can audit IBM i access rights, enable relevant personnel to approve information as needed, enforce segregation of duties, and create authorization and access reports that can be emailed to different users for review and auditing (NIST Authorize activities).
It’s all in the tools and reports
FISMA compliance for IBM i isn’t as difficult to achieve as you may think. It’s all a matter of understanding what your compliance needs are and then implementing the proper tools to meet those needs.
A good way to start reviewing your FISMA compliance is to contact SEA for a free security assessment or for more information on how we can help you with your security issues. We’ll be glad to review your current situation and make recommendations for any changes that might be needed.