LTS Secure SOC BOX: FISMA Cyber Security Compliance Management

The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. §
3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐
Government Act of 2002 (Pub. L. 107‐347, 116 Stat. 2899). The Act is meant to
bolster computer and network security within the Federal Government and
affiliated parties (such as government contractors) by mandating information
security controls and periodic audits.

Every federal agency, including their providers, contractors & those who do business with them of any kind are required to develop, document & implement an agency wide information security program in order to be complaint with Federal Information Security Modernization Act (FISMA).

FISMA aims to enhance the government’s information security systems, while minimizing the information technology risk to an agreeable level. However, due to its broad requirements and far-reaching scope, complying with FISMA can be a daunting task.

Some of the main FISMA requirements in context of InfoSec Policies include:

  • Maintain an inventory of information systems
  • Categorize information and information systems according to risk level
  • Maintain a system security plan
  • Implement security controls (NIST 800-53)
  • Conduct risk assessments
  • Certification and accreditation
  • Conduct continuous monitoring

NIST SP 800‐37 and FISMA
As part of its FISMA responsibility to develop standards and guidance for federal agencies, NIST created
Special Publication (SP) 800‐37 “Guide for the Security Certification and Accreditation of Federal
Information Systems.” This guide is an integral part of the NIST Risk Management Framework for FISMA
and is used by agencies to understand requirements and implement tasks pertaining to the certification,
accreditation and continuous monitoring of information systems.


The NIST SP 800‐37 certification and accreditation process consists of four distinct phases as shown in

• Ensure that the authorizing official and senior agency
information security officer are in agreement with the
contents of the system security plan.
Initiation Phase
• Determine the extent to which the security controls in
the information system are implemented correctly,
operating as intended, and producing the desired
outcome.
 Certification
Phase
• Determine if the remaining known vulnerabilities in
the information system pose an acceptable level of
risk to agency operations, agency assets, or
individuals.
Security Accreditation
Phase
• Provide oversight and monitoring of security
controls in the information system on an ongoing
basis and to inform the authorizing official when
changes occur.
Continuous Monitoring
Phase
Figure 3 NIST SP 800‐37

LTS Secure SOC BOX delivers multiple essential security capabilities, streamlining and expediting your path to FISMA compliance.

  • Asset Discovery & Management
  • Vulnerability Assessment & Management
  • Event Correlation
  • Intrusion Detection (IDS)
  • Behavioral Monitoring
  • Integrated Threat Intelligence
  • Automated log collection and storage
  • FISMA Reporting

The solution helps your IT Security teams perform tasks like:-

  • Classify the devices, applications & data on your network.
  • Set up diverse set of security controls to monitor policy compliance.
  • Constantly monitor security controls, detect and respond to malicious/suspicious activities.

Request A Demo

NIST 800-37 Task

Description

LTS Secure Solution

TASK 1 : Preparation

Task:1.3 Threat Identification

Confirm potential threats that could exploit information system flaws or weaknesses have been identified and documented in the system security plan, risk assessment, or an equivalent document.

LTS Secure’s SIEM inbuilt IDS/IPS  
can be used to identify
threats real-time in the agency’s application inventory which could affect any CIA of the system.

Task:1.4   

Vulnerability Identification

 

 

 

 

 

Confirm that flaws or
weaknesses in the information
system that could be exploited
by potential threat sources have
been identified and documented
in the system security plan, risk
assessment, or an equivalent
document.

Per NIST’s recommendation,
LTS Secure VA provides an
“automated scanning” solution
to identify vulnerabilities in
software/endpoint systems.

Task:1.6 Initial Risk
Determination

Confirm that the risk to agency
operations, agency assets, or
individuals has been determined
and documented in the system
security plan, risk assessment, or
an equivalent document.

LTS Secure can identify
“vulnerabilities resulting from
the absence of security” within
software applications. Also built-in correlation engine on SIEM is capable to generate alarms even on slightest of activity that could lead to a breach scenario.

 

 

 

 

 

 

 

 

 

 

Task 4: Security Control Assessment

Task 4.1 Documentation and
Supporting Materials

Assemble any documentation
and supporting materials
necessary for the assessment
the security controls in the
information system; if these
documents include previous
assessments of security controls,
review the findings, results, and evidence.

The VA report
provided by LTS Secure can be
used as part of the
documentation and supporting
materials during the security
control assessment.

Task 4.2 Methods and
Procedures

Select, or develop when needed,
appropriate methods and
procedures to assess the
information system.

LTS Secure’s application security
testing can be used to provide an automated method and
procedure for software
assessments.

Task 4.3 Security Assessment

Assess the management,
operational and technical
security controls in the
information system using
methods and procedures
selected or developed.

LTS Secure’s automated
application security testing
provides a method and
procedure for assessing the
technical security controls
around software applications.

Task 4.4 Security Assessment
Report

Prepare the final security
assessment report.

LTS Secure’s application security
report can be provided as
supporting evidence as part of
the final report.

Task 5: Security Certification Documentation

    

Task 5.1: Findings and
Recommendations

Provide the information system
owner with the security
assessment report.

LTS Secure’s application security
report can be provided as
supporting evidence as part of
the findings and
recommendations.

Task 5.3: Plan of Action and
Milestones Preparation

Prepare the plan of action and
milestones based on the results
of the security assessment.

LTS Secure provides agencies with
a recommended remediation
plan with milestones for
improving the security of the
evaluated software.

Task 8: Configuration Management and Control

    

Task 8.2: Security Impact
Analysis

Analyze the proposed or actual
changes to the information
system (including hardware,
software, firmware, and
surrounding environment) to
determine the security impact of
such changes.

LTS Secure enables applications to
be tested for security
vulnerabilities prior to
deployment as part of a change
control management process.

Task 9: Security Control Monitoring

    

Task 9.2: Selected Security
Control Assessment

Assess an agreed‐upon set of
security controls in the
information system to

Using LTS Secure’s application
security testing, agencies can
analyze applications for


NIST 800‐37 Task

Description

LTS Secure Solution
 

determine the extent to which
the controls are implemented
correctly and produce the
desired outcome with respect to
meeting the security
requirements.

vulnerabilities to determine if
the controls related to securing
applications from vulnerabilities
are being met.

Task 10: Status Reporting and Do10cumentation

    

Task 10.2: Plan of Action and
Milestones Update

Update the plan of action and
milestones based on the
documented changes to the
information system (including
hardware, software, firmware,
and surrounding environment)
and the results of the
continuous monitoring process.

LTS Secure provides agencies with
a recommended remediation
plan with milestones for
improving the security of the
evaluated software.