FISMA 101: A Guide to Achieving FISMA Compliance

9月 11, 2013

In today's Whiteboard Wednesday, John Schimelpfenig will talk about FISMA compliance. John talks about what FISMA compliance is and how to achieve FISMA compliance through vulnerability management, continuous monitoring, and penetration testing.

Video Transcript

Hello everybody. My name is John Schimelpfenig. I'm the federal account manager here with Rapid7. I'm here today to talk to you about FISMA compliance 101.

Show more Show less

Exciting stuff. Federal compliance. They finally put up a Whiteboard Wednesday about it.

It's not exciting. Settle down.

We've got a couple of minutes here. I just want to take you through some high-level stuff, and then we can get into it with an actual webcast that we're also shooting to coincide with this.

First and foremost, what is FISMA? The Federal Information Security Management Act. This is actually designed to have you implement, design, create a security program baseline minimum requirements that's going to allow you to safeguard your networks and critical controls.

This includes everything from your own network to third-party networks or to contractor networks that you may be on. It's very important to understand not only is your stuff in-house important but anything you may connect to, that's probably in scope, and you're going to want to report on that.

There are three major parts to it. The first is vulnerability assessment; the second, continuous monitoring; and the third, penetration testing.

I'd like to start with vulnerability assessment, not only because it's number one, because it's probably your top priority. It's confusing. It's alphabet soup. You're going to be drowning right off the bat. You're going to look at the list of requirements and certs that you’re going to have to hit, and you're not sure where to begin.

The good news is most of them actually roll up to either SCAP or CyberScope, which will both help satisfy your FISMA.

To really get in there, first things first, kick off that discovery scan, understand truly what's in your network. You're not going to be able to define your scope without that. From that point, you're going to get that list of vulnerabilities, break it down, and understand what's happening.

To take that step back, though, you're actually able to upload these policies through our policy editor within Nexpose and scan that way.

Number two. Continuous monitoring. You always need to be watching your network. This does not mean you're going to be up for 24 hours a day, 365 days a year. You're going to have a control in place, a piece of software that's going to be monitoring your network for you.

This is going to satisfy a nice chunk of FISMA, but it's actually going to safeguard you above that. So, yes, you're checking a box, but more importantly, you're sleeping soundly while that information is being safeguarded holistically within the network.

Thirdly, let's talk about penetration testing. Pen testing is a big part of NIST 800-53 endpoint and critical control security. If you're not running a pen test, whether it be externally or internally, you're actually shorting yourself on a security program. Sure, these things do cost money, but it’s important to understand that at the end of the day, the holistic security approach is actually going to check the box for you.

And by following all three of these simple steps that FISMA does lay out, granted, the underlayers could get a little complicated, but following these three steps will, again, help you check the box, get you compliant, but more importantly safeguard your network and your critical controls and allow you to sleep peacefully at night.

I want to thank you for your time today. In addition, there's a link floating either up there, down there, or maybe over there for the webcast we did a little bit earlier today that dives deeper into FISMA. If you have some time, take a look at it. It should run about 45 minutes for you, with some Q and A after.

I do find that the more information, the better, and anything else we can provide to you, please let us know. Again, thanks for the time. Hope you have a great one.