It can be hard to know how to best allocate your federal agency’s resources and talent to meet FISMA compliance, and a big part of that challenge is feeling confident that you’re choosing the right cybersecurity and compliance reporting solution.

First, a Few FISMA SI-7 Basics

So what sorts of specifications do you need to look for, and why? While the Federal Information Security Management Act (FISMA) is an important part of keeping governmental systems safe from cyberthreats, it’s not the most intuitive set of guidelines to follow. That’s especially true for one of the most difficult security controls agencies must adhere to: NIST SP 800-53 SI-7.

The SI-7 (“SI” meaning “System Information and Integrity”) control instructs agencies on software, firmware and information integrity. As of 2017’s executive order on cybersecurity states, “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.”

Government systems are categorized as low, moderate or high sensitivity. All controls are mandatory for everyone, but the set of mandatory controls gets larger for moderate- or high-sensitivity agencies. The subset of SI-7 controls that are most relevant to the largest numbers of agencies are 1, 2, 5 and 7.

SI-7.1: Integrity Checks

As identified in NIST SP 800-53, “Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.”

Questions for your cybersecurity vendor:

• Does the solution cover firmware?
• Does it cover the full scope and range of assets, including Windows, Unix, Linux, routers, switches, firewalls and storage devices?
• In (Read more...)