What is FISMA?
The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA requires objective assessments of the effectiveness of security controls on every information system operated by, or for, the Federal Government on an annual basis. FISMA requires both an internal evaluation and an independent assessment. As shown below, FISMA describes these security controls as control families. NIST SP 800-53 defines each of these families, as well as referencing additional NIST special publications that further describe execution of security activities for each family.
How SAINT supports FISMA
SAINT provides direct support to two of the FISMA controls:
- CA – Security Assessment and Authorization (CA-7 Continuous Monitoring)
- RA – Risk Assessment (RA-3 – Risk Assessment; RA-5 – Vulnerability Scanning)
SAINT helps government agencies assess systems with these key features:
- Detect vulnerabilities before they can be exploited. SAINT's vulnerability assessment will allow administrators to take precautions and bolster network security.
- Find fixes fast. When SAINT finds vulnerabilities, it leads network administrators to the fastest fixes for them.
- Ensure data integrity, availability and confidentiality. SAINT's frequent updates provide protection from the latest threats.
- Document network security compliance. SAINT reports provide customers with excellent records for documenting FISMA compliance and a historical perspective of a network's security picture.
- Demonstrate protection from attack. The SAINTexploit penetration testing tool provides a higher level of assurance of protection from attack.
SAINT provides a holistic approach to vulnerability assessment and risk management by combining detailed information about system vulnerabilities with potential outcomes (i.e., evidence) through penetration testing. Managers may choose to:
- Run a scan using the custom FISMA vulnerability scan policy and display the results in a pre-formatted FISMA Vulnerability Assessment Report;
- Run the FISMA vulnerability scan, then use the results to run a penetration test based on known exploits, and then report on the outcomes.
SAINT's customizable scan configuration and scheduling features, as well as built-in trend analysis tools, enable IA managers to automate the continuous monitoring process, evaluate policies and practices, and adjust activities over time, to support a policy of continuous improvement and reduced risk to critical infrastructure.
The following are all examples of SAINT's focus on support to evolving initiatives:
- SAINT is included on the OMB MAX Portal list of vendors capable of providing exported data feeds for CyberScope.
- SAINT provides support for Information Assurance Vulnerability Alerts (IAVAs), as an optional plug-in, to provide ongoing support to this DISA program and to our federal customers.
- SAINT has provided support to the CVE program for many years and continues to evolve as the National Vulnerabilities Database (NVD) expands this area.
- SAINT's involvement in the OVAL Adoption Program.
- SAINT's validation in the NIST SCAP Compliance Program
- SAINT's recognition as a CAG 20 Vetted Tools vendor.
SAINT is keenly aware of existing and evolving industry and government initiatives and continues to evolve along with those changes.