The Federal Information Security Management Act (FISMA) is a federal law that requires federal agencies to implement an information security and protection program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic government services and processes.
The scope of FISMA has increased to include state agencies administering federal programs. FISMA requirements also apply to any private businesses that are involved in a contractual relationship with the United States government.
It requires agencies to develop and implement a program to secure all parts of their operations and assets, including their network as well as those provided or managed by others (whether other agencies, contractors, or other sources).
FISMA increases cybersecurity focus within the federal government. Agency officials, CIOs, and inspector generals are required to conduct annual reviews of the agency’s information security program and report the results to OMB.
FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.
Understanding FISMA compliance is a crucial part of your network security compliance posture.
Your organization needs to be compliant with many global regulations. These regulations include HIPPA, PCI DSS, GDPR, ISO/IEC 27001, NIST, NERC, Sarbanes-Oxley (SOX), and more. In many cases, the same regulations that apply to your on-premises environment also apply to the cloud. However, many regulations relate specifically to your cloud controls.
The National Institute for Standards and Technology (NIST) has published Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy. Section 4 relates to the importance of firewall policies and sets out best practices for firewall policy management. According to the document (section 4-1):
Before a firewall policy is created, some form of risk analysis should be performed to develop a list of the types of traffic needed by the organization and categorize how they must be secured—including which types of traffic can traverse a firewall under what circumstances. This risk analysis should be based on an evaluation of threats; vulnerabilities; countermeasures in place to mitigate vulnerabilities; and the impact if systems or data are compromised. Firewall policy should be documented in the system security plan and maintained and updated frequently as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding network applications change. The policy should also include specific guidance on how to address changes to the ruleset.
According to Section 4 of Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy:
According to NIST (5.2.2), “if multiple firewalls need to have the same rules or a common subset of rules, those rules should be synchronized across the firewalls. This is usually done in a vendor-specific fashion.” Network security policy management solutions such as the AlgoSec Security Management solution enables unified multi-vendor policy management across your entire hybrid network.
AlgoSec automatically generates pre-populated, audit-ready compliance reports for leading industry regulations, including SOX, BASEL II, GLBA, PCI DSS, ISO 27001, FISMA, and NIST controls for FedRAMP — which helps reduce audit preparation efforts and costs. AlgoSec also uncovers gaps in the compliance posture and proactively checks every change for compliance violations. AlgoSec also provides daily audit and compliance reporting across the entire heterogeneous network estate. The AlgoSec appliance also uses Federal Information Processing Standard (FIPS) Publication 140 certified cryptographic modules to support FIPS 140-2 compliant devices and enable seamless deployment in FIPS 140-2 compliant organizations.
Regulations and compliance for the data center – A Day in the Life
The company has a hybrid network – multiple firewalls spread across a physical data center, Cisco ACI and Amazon Web Services. Each platform is protected by its own security cont...
The Firewall Audit Checklist
Six Best Practices for simplifying firewall auditing and compliance, and reducing risk.
Stop Putting out Fires. Pass Network Security Audits – Every Time
Compliance with network and data security regulations and internal standards is vital and mission-critical. But with increasing global regulations and network complexities, it’s ...
It is critical to periodically audit your network security controls. Network security audits help to identify weaknesses in your network security posture so you know where your security policies need to be adapted. Firewall audits also demonstrate that you have been doing your due diligence in reviewing security controls and policy controls.
Your network firewalls are a critical part of FISMA and other regulatory requirements. Ensuring that your network firewalls comply with critical regulations is a core part of your network security posture.
Followingfirewall rules best practices, you should periodically evaluate your firewall rules. Identify and consolidate duplicate rules, remove obsolete or unused firewall rules, and perform periodic firewall rule re-certification.
We don not ask your personal information to access any of our resources.
But, if you do want to get in touch with us, email questions@algosec.com - there is a human at the other!