U.S. Federal agencies are embracing virtualization as a way to cut costs and comply with the government mandate toward greener computing. But U.S. Federal agencies are also subject to regulations and controls that are impacted by virtualization. The Federal Information Security Management Act (FISMA) reinforces the security of federal information systems, networks, and information. FISMA lays out a specific set of security best practices and guidelines from authoritative security sources like the National Institute of Standards and Technology (NIST). NIST SP 800-53 rev3 requires each federal agency to develop, document, and implement an agency-wide program for information security. For virtualization projects within Federal agencies, compliance with established SP 800-53 risk management processes and controls is required by FISMA.
The latest NIST update (SP 800-53 rev4) is focused on a continuous monitoring approach, which is perfectly matched with Catbird real-time and continuous compliance monitoring. For more information, watch our webinar New NIST Guidelines for Virtualization Security.
Virtualization’s Impact on FISMA
A number of security and compliance gaps specific to FISMA compliance are introduced in the move from physical to virtual infrastructure. Those gaps include:
- Loss of visibility on the virtualized network
- Loss of separation of duties and secondary controls on the virtual network
- The introduction of virtual machine mobility
- Lack of network segmentation
The below table put together by Catbird specifically identifies and analyzes new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization effects many of FISMA's information security controls.
How Catbird Helps FISMA Compliance
Catbird Insight and Catbird Secure mitigate or remedy the FISMA compliance controls negatively impacted by virtualization. Catbird’s compliance monitoring and enforcement provides a real-time, ongoing, automated analysis of an agency’s FISMA compliance status with a risk impact score based on the effect of virtualization. Agencies may utilize this information, in conjunction with their own risk management framework, to determine the impact of virtualization on their own baseline security controls.
Catbird Inisght and Catbird Secure ease compliance with FISMA by:
- Analyzing virtual (and physical) infrastructure against FISMA requirements, identifying any out-of-compliance settings.
- Instantly taking “offline” any virtual machine deemed out of compliance with FISMA policy via Catbird’s automated quarantine mechanism.
- Alerting IT to unauthorized or improper changes to virtual infrastructure that will negatively impact FISMA compliance.
- Providing detailed, real-time reporting on FISMA compliance posture for agency directors, government regulators and IT staff.
- Delivering third-party, documented proof of FISMA compliance for auditing purposes.
For more information, read our FISMA papers: