FISMA



Qualys Solutions for IT Security & Compliance

Qualys' on demand approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the QualysGuard® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.



Related Links

From Qualys:

FISMA is the Federal Information Security Management Act of 2002. It imposes strong requirements to secure government information and holds federal agencies accountable for their success in meeting this goal. Organizations that exchange data with federal information systems also must comply with requirements of FISMA. This page provides background information about FISMA and describes how solutions from Qualys help federal agencies and contractors to be compliant.



About FISMA

FISMA is part of the E-Government Act of 2002. Its provisions fall into three major categories: assessment, enforcement, and compliance. The first pertains to determining the adequacy of the security of federal assets. The second requires that key information security provisions be implemented and managed. The third establishes provisions for the management of each agency's information security program and the accountability of each agency for compliance and reporting. FISMA directs the National Institute of Standards and Technologies (NIST) to create and manage technical standards for compliance. Key standards include NIST Special Publication 800-53, and Federal Information Processing Standards (FIPS) 199 and 200. Audits for FISMA compliance are managed by the Office of Management and Budget (OMB).



Why FISMA Matters to Your Organization

Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. If a federal agency fails to comply with FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.



Considerations for a FISMA Security Compliance Program

Compliance with FISMA can be challenging due to the broad scope of technical standard specified by NIST. The security framework in SP 800-53 includes 17 areas of security covering 205 technical and program management controls. Mapping these to IT operations of a large federal agency, implementation, and ongoing management is a huge process. To help, current and past federal CIOs and CISOs working in conjunction with the SANS Institute created the Consensus Audit Guidelines (CAG), which are 20 critical controls for effective cyber defense. These specific recommendations are "viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future." CAG Critical Control 10: Continuous Vulnerability Assessment and Remediation, along with other provisions in SP 800-53 are addressed by Qualys solutions. Automation is a vital part of these, and NIST has further specified that vulnerability scanners used for FISMA compliance must conform to its Security Content Automation Protocol (SCAP). The QualysGuard FDCC scanner module is validated by NIST as conforming to the SCAP specification in accordance with OMB's Memorandum M-07-11, "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems."



How Qualys Solutions Help Registered Entities Meet FISMA Requirements

Qualys solutions in the QualysGuard Security and Compliance Suite enable immediate compliance with key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.


In particular, solutions in the QualysGuard IT Security & Compliance Suite fulfill key security controls from NIST SP 800-53 and specified by CAG Critical Control 10, including: RA-3 (a, b, c, d) and RA-5 (a, b, 1, 2, 5, 6), plus many others. These are summarized in the matrix below. For a detailed explanation requirement-by-requirement, see FISMA Compliance: Making the Grade.


FISMA RequirementsQualysGuard Capabilities
Specific accountability of agencies and officials
  • Regular reports show security status of assets owned by of each organization and manager
  • Summary reports show enterprise view for formal FISMA reporting
Assess risk by seeking to meet defined security objectives
  • Reports provide identification of levels of risk, including user-defined levels in next release
  • Data can be used in risk assessments to support Certification and Authorization activity
  • Managers can make risk-based decisions about asset management
Maintain an inventory of major systems and interconnections
  • QualysGuard can be used to uncover all assets in defined domain, including those previously "undiscovered", to build and maintain the inventory
  • Relationships between assets can be mapped to help assign accountability for inventoried assets
Regular security assessments and reviews
  • Vulnerabilities are identified by asset, allowing audits to be targeted as appropriate
  • Scans can be run and used as input to assessments
  • Assessments are automated, reducing staffing costs, and include identification of likelihood and impact assist with Certification and Accreditation activity
  • Changes can be mapped over time to audit compliance with recommendations in earlier assessments
Significant regular reporting of ISS program progress and results
  • Trend information includes changes to level of threats and vulnerabilities
  • Management can focus on particular vulnerabilities to quickly correct "hot" issues, such as CAG
  • Reports can list corrected vs. still active vulnerabilities to show status of corrective action
  • Data can be summarized to provide each level of management with their own view of security "health"
Tracking of significant deficiencies and remediation actions taken
  • System administrators can filter reports to show specific vulnerabilities and recommended corrective measures
  • Trouble tickets can be assigned to appropriate personnel to enforce remediation requirements
  • Reports show exact status of mitigation activity - corrected vs. still active vulnerabilities
Incident response and prevention processes and capability
  • Scans give early warning of organizational exposure to new vulnerabilities
  • Recommended mitigation actions foster unified organizational approach to potential incidents
  • Specific vulnerabilities are mapped to assets for more rapid assessments and response
  • Reports can be shared with internal and external incident response organizations
Compliance with minimum system configuration requirements
  • Reports identify asset features and components such as OS, protocols and services
  • The mapping of specific vulnerabilities to assets shows compliance with configuration management requirements
Policies and procedures which support compliance and training for key ISS personnel
  • Scan output and reports show where policies and procedures need to be strengthened
  • ISS staff response to vulnerabilities can be assessed to determine where training is needed
Integration of security management processes with strategic and operational planning
  • High-level reports showing overall status of security and asset management can be included in Exhibits 53 and 300B input to capital planning process
  • Improvements to security can be measured and used to support program management and operational planning activity
Stay Connected with Qualys
Free Tools & Trials
Qualys Community
Other Links