What is FISMA

Your organization needs to be compliant with many global regulations. These regulations include HIPPA, PCI DSS, GDPR, ISO/IEC 27001, NIST, NERC, Sarbanes-Oxley (SOX), and more. In many cases, the same regulations that apply to your on-premises environment also apply to the cloud. However, many regulations relate specifically to your cloud controls.

The National Institute for Standards and Technology (NIST) has published Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy. Section 4 relates to the importance of firewall policies and sets out best practices for firewall policy management. According to the document (section 4-1):

Before a firewall policy is created, some form of risk analysis should be performed to develop a list of the types of traffic needed by the organization and categorize how they must be secured—including which types of traffic can traverse a firewall under what circumstances. This risk analysis should be based on an evaluation of threats; vulnerabilities; countermeasures in place to mitigate vulnerabilities; and the impact if systems or data are compromised. Firewall policy should be documented in the system security plan and maintained and updated frequently as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding network applications change. The policy should also include specific guidance on how to address changes to the ruleset.

According to Section 4 of Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy:

• An organization’s firewall policy should be based on a comprehensive risk analysis.
• Firewall policies should be based on blocking all inbound and outbound traffic, with exceptions made for desired traffic.
• Policies should consider the source and destination of the traffic in addition to the content.
• Many types of IPv4 traffic, such as that with invalid or private addresses, should be blocked by default.
• Organizations should have policies for handling incoming and outgoing IPv6 traffic.
• An organization should determine which applications may send traffic into or out of its network and make firewall policies to block traffic for other applications.

According to NIST (5.2.2), “if multiple firewalls need to have the same rules or a common subset of rules, those rules should be synchronized across the firewalls. This is usually done in a vendor-specific fashion.” Network security policy management solutions such as the AlgoSec Security Management solution enables unified multi-vendor policy management across your entire hybrid network.

AlgoSec automatically generates pre-populated, audit-ready compliance reports for leading industry regulations, including SOX, BASEL II, GLBA, PCI DSS, ISO 27001, FISMA, and NIST controls for FedRAMP — which helps reduce audit preparation efforts and costs. AlgoSec also uncovers gaps in the compliance posture and proactively checks every change for compliance violations. AlgoSec also provides daily audit and compliance reporting across the entire heterogeneous network estate. The AlgoSec appliance also uses Federal Information Processing Standard (FIPS) Publication 140 certified cryptographic modules to support FIPS 140-2 compliant devices and enable seamless deployment in FIPS 140-2 compliant organizations.