FISMA Compliance Framework

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

  • Inventory of information systems – Take an inventory of the information systems controlled by each agency
  • Categorize information and information systems according to risk level
  • Appropriate security controls and assurance requirements – Ensure you have the appropriate security controls as set out in the NIST Special Publication 800-53
  • Risk assessment – Validate your security controls and determine if any additional controls are needed
  • System security plan – Execute and frequently review plans for implementing security controls
  • Certification and accreditation – The system must be reviewed and certified as functioning according to the appropriate standards
  • Continuous monitoring – Monitor and update to reflect ongoing changes


Understanding FISMA compliance is a crucial part of your network security compliance posture.

What are some common regulations that customers must be compliance with?

Your organization needs to be compliant with many global regulations. These regulations include HIPPA, PCI DSS, GDPR, ISO/IEC 27001, NIST, NERC, Sarbanes-Oxley (SOX), and more. In many cases, the same regulations that apply to your on-premises environment also apply to the cloud. However, many regulations relate specifically to your cloud controls.

How do my firewall management help with FISMA?

The National Institute for Standards and Technology (NIST) has published Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy. Section 4 relates to the importance of firewall policies and sets out best practices for firewall policy management. According to the document (section 4-1):

Before a firewall policy is created, some form of risk analysis should be performed to develop a list of the types of traffic needed by the organization and categorize how they must be secured—including which types of traffic can traverse a firewall under what circumstances. This risk analysis should be based on an evaluation of threats; vulnerabilities; countermeasures in place to mitigate vulnerabilities; and the impact if systems or data are compromised. Firewall policy should be documented in the system security plan and maintained and updated frequently as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding network applications change. The policy should also include specific guidance on how to address changes to the ruleset.

What are FISMA’s recommendations for firewall setup?

According to Section 4 of Special Publication 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy:

  • An organization’s firewall policy should be based on a comprehensive risk analysis.
  • Firewall policies should be based on blocking all inbound and outbound traffic, with exceptions made for desired traffic.
  • Policies should consider the source and destination of the traffic in addition to the content.
  • Many types of IPv4 traffic, such as that with invalid or private addresses, should be blocked by default.
  • Organizations should have policies for handling incoming and outgoing IPv6 traffic.
  • An organization should determine which applications may send traffic into or out of its network and make firewall policies to block traffic for other applications.

How can network security policy automation help with FISMA compliance?

According to NIST (5.2.2), “if multiple firewalls need to have the same rules or a common subset of rules, those rules should be synchronized across the firewalls. This is usually done in a vendor-specific fashion.” Network security policy management solutions such as the AlgoSec Security Management solution enables unified multi-vendor policy management across your entire hybrid network.

How AlgoSec helps with FISMA compliance?

AlgoSec automatically generates pre-populated, audit-ready compliance reports for leading industry regulations, including SOX, BASEL II, GLBA, PCI DSS, ISO 27001, FISMA, and NIST controls for FedRAMP — which helps reduce audit preparation efforts and costs. AlgoSec also uncovers gaps in the compliance posture and proactively checks every change for compliance violations. AlgoSec also provides daily audit and compliance reporting across the entire heterogeneous network estate. The AlgoSec appliance also uses Federal Information Processing Standard (FIPS) Publication 140 certified cryptographic modules to support FIPS 140-2 compliant devices and enable seamless deployment in FIPS 140-2 compliant organizations.

Regulatory Compliance Report


Regulations and compliance for the data center – A Day in the Life

The company has a hybrid network – multiple firewalls spread across a physical data center, Cisco ACI and Amazon Web Services. Each platform is protected by its own security cont...

The firewall audit checklist

Six best practices for simplifying firewall auditing and compliance, and reducing risk.

Stop putting out fires. Pass network security audits – every time

Compliance with network and data security regulations and internal standards is vital and mission-critical. But with increasing global regulations and network complexities, it’s ...

FISMA Compliance Tips


Conduct a network security audit

It is critical to periodically audit your network security controls.  Network security audits help to identify weaknesses in your network security posture so you know where your security policies need to be adapted. Firewall audits also demonstrate that you have been doing your due diligence in reviewing security controls and policy controls.


Conduct periodic compliance checks

Your network firewalls are a critical part of FISMA and other regulatory requirements. Ensuring that your network firewalls comply with critical regulations is a core part of your network security posture.


Periodically evaluate your firewall rules

Followingfirewall rules best practices, you should periodically evaluate your firewall rules. Identify and consolidate duplicate rules, remove obsolete or unused firewall rules, and perform periodic firewall rule re-certification.