Staying Compliant with FISMA After Virtualization
U.S. Federal agencies are embracing virtualization as a way to cut costs and comply with the government mandate toward greener computing. But U.S. Federal agencies are also subject to regulations and controls that are impacted by virtualization. Catbird helps these organizations stay compliant as they transition from physical to virtual.
The Federal Information Security Management Act (FISMA) reinforces the security of federal information systems, networks, and information. FISMA lays out a specific set of security best practices and guidelines from authoritative security sources like the National Institute of Standards and Technology (NIST). NIST SP 800-53 rev3 requires each federal agency to develop, document, and implement an agency-wide program for information security. For virtualization projects within Federal agencies, compliance with established SP 800-53 risk management processes and controls is required by FISMA.
Virtualization’s Impact on FISMA
A number of security and compliance gaps specific to FISMA compliance are introduced in the move from physical to virtual infrastructure. Such gaps include:
- Loss of visibility on the virtualized network
- Loss of separation of duties and secondary controls on the virtual network
- The introduction of virtual machine mobility
- Lack of network segmentation
Catbird’s extensive research has specifically identified and analyzed new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization impacts 110 SP-800-53 rev3 Controls. (Log into the Catbird Compliance Center for detailed reporting on which controls are affected and the severity, white papers and “how to” guides)
| Change | Effect | Risk | Solution |
|---|---|---|---|
| Hypervisor | Adds new operating system and infrastructure layers. | Denial of service, anonymous access, data theft, fraud | Monitor configuration and VM states to enforce secure configuration. Control access from VM to Hypervisor. |
| Virtual Networks | Flattens infrastructure and networks; blinds non-virtualized tools. | Unauthorized access, anonymous access, denial of service | Audit and enforce data protection for network layers 2-7. |
| Virtual Administration | Collapses roles and increases privilege of administrators. | Escalation of privilege, abuse of privilege, fraud | Enforce compensating controls via hypervisor and network APIs. |
| Servers Become Files | Increases transience, enables VM mobility, and increased frequency of change within the data center. | Denial of service, data or intellectual property theft, unauthorized access, fraud | Provide dynamic protection and controls to protect data: policy based security follows the virtual machines. Control access from Hypervisor to VM. |
Remediation with Catbird vSecurity
Catbird vSecurity mitigates or completely remedies the FISMA compliance controls negatively impacted by virtualization. Catbird’s compliance monitoring and enforcement provides a real-time, ongoing, automated analysis of an agency’s FISMA compliance status with a risk impact score based on the effect of virtualization. Agencies may utilize this information, in conjunction with their own risk management framework, to determine the impact of virtualization on their own baseline security controls.
Catbird Features to Ease Compliance with FISMA
- Analyze virtual (and physical) infrastructure against FISMA requirements, identifying any out-of-compliance settings.
- Instantly “offline” any virtual machine deemed out of compliance with FISMA policy via Catbird’s automated quarantine mechanism
- Alert IT to unauthorized or improper changes to virtual infrastructure that will negatively impact FISMA compliance
- Provide detailed, real-time reporting on FISMA compliance posture for agency directors, government regulators and IT staff
- Deliver third-party, documented proof of FISMA compliance for auditing purposes
