LTS Secure SOC BOX: FISMA Cyber Security Compliance Management

The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. §
3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐
Government Act of 2002 (Pub. L. 107‐347, 116 Stat. 2899). The Act is meant to
bolster computer and network security within the Federal Government and
affiliated parties (such as government contractors) by mandating information
security controls and periodic audits.

Every federal agency, including their providers, contractors & those who do business with them of any kind are required to develop, document & implement an agency wide information security program in order to be complaint with Federal Information Security Modernization Act (FISMA).

FISMA aims to enhance the government’s information security systems, while minimizing the information technology risk to an agreeable level. However, due to its broad requirements and far-reaching scope, complying with FISMA can be a daunting task.

Some of the main FISMA requirements in context of InfoSec Policies include:

  • Maintain an inventory of information systems
  • Categorize information and information systems according to risk level
  • Maintain a system security plan
  • Implement security controls (NIST 800-53)
  • Conduct risk assessments
  • Certification and accreditation
  • Conduct continuous monitoring

NIST SP 800‐37 and FISMA
As part of its FISMA responsibility to develop standards and guidance for federal agencies, NIST created
Special Publication (SP) 800‐37 “Guide for the Security Certification and Accreditation of Federal
Information Systems.” This guide is an integral part of the NIST Risk Management Framework for FISMA
and is used by agencies to understand requirements and implement tasks pertaining to the certification,
accreditation and continuous monitoring of information systems.


The NIST SP 800‐37 certification and accreditation process consists of four distinct phases as shown in

• Ensure that the authorizing official and senior agency
information security officer are in agreement with the
contents of the system security plan.
Initiation Phase
• Determine the extent to which the security controls in
the information system are implemented correctly,
operating as intended, and producing the desired
outcome.
 Certification
Phase
• Determine if the remaining known vulnerabilities in
the information system pose an acceptable level of
risk to agency operations, agency assets, or
individuals.
Security Accreditation
Phase
• Provide oversight and monitoring of security
controls in the information system on an ongoing
basis and to inform the authorizing official when
changes occur.
Continuous Monitoring
Phase
Figure 3 NIST SP 800‐37

LTS Secure SOC BOX delivers multiple essential security capabilities, streamlining and expediting your path to FISMA compliance.

  • Asset Discovery & Management
  • Vulnerability Assessment & Management
  • Event Correlation
  • Intrusion Detection (IDS)
  • Behavioral Monitoring
  • Integrated Threat Intelligence
  • Automated log collection and storage
  • FISMA Reporting

The solution helps your IT Security teams perform tasks like:-

  • Classify the devices, applications & data on your network.
  • Set up diverse set of security controls to monitor policy compliance.
  • Constantly monitor security controls, detect and respond to malicious/suspicious activities.

Request A Demo


    Yes, I would like to receive communications from LTS Secure.

    NIST 800-37 Task

    Description

    LTS Secure Solution

    TASK 1 : Preparation

    Task:1.3 Threat Identification

    Confirm potential threats that could exploit information system flaws or weaknesses have been identified and documented in the system security plan, risk assessment, or an equivalent document.

    LTS Secure’s SIEM inbuilt IDS/IPS  
    can be used to identify
    threats real-time in the agency’s application inventory which could affect any CIA of the system.

    Task:1.4   

    Vulnerability Identification

     

     

     

     

     

    Confirm that flaws or
    weaknesses in the information
    system that could be exploited
    by potential threat sources have
    been identified and documented
    in the system security plan, risk
    assessment, or an equivalent
    document.

    Per NIST’s recommendation,
    LTS Secure VA provides an
    “automated scanning” solution
    to identify vulnerabilities in
    software/endpoint systems.

    Task:1.6 Initial Risk
    Determination

    Confirm that the risk to agency
    operations, agency assets, or
    individuals has been determined
    and documented in the system
    security plan, risk assessment, or
    an equivalent document.

    LTS Secure can identify
    “vulnerabilities resulting from
    the absence of security” within
    software applications. Also built-in correlation engine on SIEM is capable to generate alarms even on slightest of activity that could lead to a breach scenario.

     

     

     

     

     

     

     

     

     

     

    Task 4: Security Control Assessment

    Task 4.1 Documentation and
    Supporting Materials

    Assemble any documentation
    and supporting materials
    necessary for the assessment
    the security controls in the
    information system; if these
    documents include previous
    assessments of security controls,
    review the findings, results, and evidence.

    The VA report
    provided by LTS Secure can be
    used as part of the
    documentation and supporting
    materials during the security
    control assessment.

    Task 4.2 Methods and
    Procedures

    Select, or develop when needed,
    appropriate methods and
    procedures to assess the
    information system.

    LTS Secure’s application security
    testing can be used to provide an automated method and
    procedure for software
    assessments.

    Task 4.3 Security Assessment

    Assess the management,
    operational and technical
    security controls in the
    information system using
    methods and procedures
    selected or developed.

    LTS Secure’s automated
    application security testing
    provides a method and
    procedure for assessing the
    technical security controls
    around software applications.

    Task 4.4 Security Assessment
    Report

    Prepare the final security
    assessment report.

    LTS Secure’s application security
    report can be provided as
    supporting evidence as part of
    the final report.

    Task 5: Security Certification Documentation

    		    

    Task 5.1: Findings and
    Recommendations

    Provide the information system
    owner with the security
    assessment report.

    LTS Secure’s application security
    report can be provided as
    supporting evidence as part of
    the findings and
    recommendations.

    Task 5.3: Plan of Action and
    Milestones Preparation

    Prepare the plan of action and
    milestones based on the results
    of the security assessment.

    LTS Secure provides agencies with
    a recommended remediation
    plan with milestones for
    improving the security of the
    evaluated software.

    Task 8: Configuration Management and Control

    		    

    Task 8.2: Security Impact
    Analysis

    Analyze the proposed or actual
    changes to the information
    system (including hardware,
    software, firmware, and
    surrounding environment) to
    determine the security impact of
    such changes.

    LTS Secure enables applications to
    be tested for security
    vulnerabilities prior to
    deployment as part of a change
    control management process.

    Task 9: Security Control Monitoring

    		    

    Task 9.2: Selected Security
    Control Assessment

    Assess an agreed‐upon set of
    security controls in the
    information system to

    Using LTS Secure’s application
    security testing, agencies can
    analyze applications for


    NIST 800‐37 Task

    Description

    LTS Secure Solution
     

    determine the extent to which
    the controls are implemented
    correctly and produce the
    desired outcome with respect to
    meeting the security
    requirements.

    vulnerabilities to determine if
    the controls related to securing
    applications from vulnerabilities
    are being met.

    Task 10: Status Reporting and Do10cumentation

    		    

    Task 10.2: Plan of Action and
    Milestones Update

    Update the plan of action and
    milestones based on the
    documented changes to the
    information system (including
    hardware, software, firmware,
    and surrounding environment)
    and the results of the
    continuous monitoring process.

    LTS Secure provides agencies with
    a recommended remediation
    plan with milestones for
    improving the security of the
    evaluated software.