Staying Compliant with FISMA After Virtualization

Civilian government agencies are embracing virtualization as a way to cut costs and embrace the government mandate toward greener computing. But federal agencies are also subject to regulations and controls that are affected by virtualization. Catbird can help these organizations stay compliant as they transition from physical to virtual.

The Federal Information Security Management Act (FISMA) reinforces the security of federal information systems, networks, and information. FISMA lays out a specific set of security best practices and guidelines from authoritative security sources like the National Institute of Standards and Technology (NIST). NIST requires each federal agency to develop, document, and implement an agency-wide program for information security. For virtualization projects within Federal agencies, compliance with established risk management processes is required by FISMA.

Virtualization’s Impact on FISMA

A number of security and compliance gaps specific to FISMA are introduced in the move from physical to virtual infrastructure. Such gaps include:

  • Loss of visibility on the virtualized network
  • Loss of separation of duties and secondary controls on the virtual network
  • The introduction of virtual machine mobility
  • Lack of network segmentation

Catbird’s extensive research has specifically identified and analyzed new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization impacts 110 FISMA Controls. (Log into the Catbird Compliance Center for detailed reporting on which controls are affected and the severity, white papers and “how to” guides)


ChangeEffectRiskSolution

HypervisorAdds new operating system and infrastructure layers. Denial of service, anonymous access, data theft, fraud Monitor configuration and VM states to enforce secure configuration. Control access from VM to Hypervisor.

Virtual Networks Flattens infrastructure and networks; blinds non-virtualized tools. Unauthorized access, anonymous access, denial of service

Audit and enforce data protection for network layers 2-7.
Virtual Administration Collapses roles and increases privilege of administrators. Escalation of privilege, abuse of privilege, fraud Enforce compensating controls via hypervisor and network APIs.


Servers Become Files Increases transience, enables VM mobility, and increased frequency of change within the data center. Denial of service, data or intellectual property theft, unauthorized access, fraud Provide dynamic protection and controls to protect data: policy based security follows the virtual machines. Control access from Hypervisor to VM.

Remediation with Catbird vSecurity

Catbird vSecurity mitigates or completely remedies the FISMA controls negatively impacted by virtualization. Catbird’s compliance monitoring and enforcement provides a real-time, ongoing, automated analysis of an agency’s FISMA status with a risk impact score based on the effect of virtualization. Agencies may utilize this information, in conjunction with their own risk management framework, to determine the impact of virtualization on their own baseline security controls.

Catbird Features to Ease Compliance with FISMA

  • Analyze virtual (and physical) infrastructure against FISMA requirements, identifying any out-of-compliance settings.
  • Instantly “offline” any virtual machine deemed out of compliance with FISMA policy via Catbird’s automated quarantine mechanism
  • Alert IT to unauthorized or improper changes to virtual infrastructure that will negatively impact FISMA compliance
  • Provide detailed, real-time reporting on FISMA compliance posture for agency directors, government regulators and IT staff
  • Deliver third-party, documented proof of FISMA compliance for auditing purposes