FISMA Compliance
Note: FISMA policy framework requires Enterprise Edition.
The Federal Information Security Modernization Act (FISMA) policy framework helps federal agencies and contractors protect federal information systems according to NIST guidelines.
Overview
FISMA requires federal agencies to develop, document, and implement information security programs. Aquilon DLP’s FISMA policy implements FIPS 199 categorization and NIST SP 800-53 controls:
- AC - Access Control: Limit system access to authorized users
- AU - Audit and Accountability: Create and retain audit records
- IA - Identification and Authentication: Identify users and devices
- MP - Media Protection: Protect digital and physical media
- SC - System and Communications Protection: Protect communications
- SI - System and Information Integrity: Protect information integrity
FIPS 199 Impact Levels
| Impact Level | Confidentiality | Description | Controls |
|---|---|---|---|
| Low | Limited adverse effect | Public-facing systems | ~127 |
| Moderate | Serious adverse effect | Most agency systems | ~325 |
| High | Severe/catastrophic effect | National security, financial | ~421 |
Detection Methods
Federal System Scanners
| Scanner | Detects | Severity |
|---|---|---|
cui_marking | CUI in federal systems | Critical |
gov_identifier | DoD EDI-PI, federal IDs | High |
export_control | ITAR/EAR controlled data | Critical |
PII in Federal Context
| Scanner | Federal Context Required | Severity |
|---|---|---|
ssn | Federal employee/citizen records | Critical |
email | .gov/.mil communications | Medium |
address | Federal facility addresses | Medium |
date_of_birth | Personnel records | High |
api_key | Federal system credentials | Critical |
Configuration
Basic Configuration (Moderate Impact)
[policies]
enabled_policies = ["fisma"]
Impact Level Configuration
[policies.policy_configs.fisma]
settings = { impact_level = "moderate", confidence_threshold = "0.7" }
Configuration Options
| Option | Description | Default |
|---|---|---|
impact_level | FIPS 199 impact level (low, moderate, high) | moderate |
detect_cui | Detect CUI markings | true |
detect_pii | Detect PII in federal context | true |
detect_credentials | Detect system credentials | true |
confidence_threshold | Minimum scanner confidence (0.0-1.0) | 0.7 |
Context Detection
Federal Agency Context
- Agency terms: federal, agency, government, bureau, department, administration
- Specific agencies: DoD, VA, HHS, DHS, Treasury, DOJ, DOE, NASA, USDA
- System terms: FISMA, ATO, authorization boundary, system owner, ISSO, ISSM
- Roles: authorizing official, AO, system security officer, privacy officer
Contractor Context
- Contractor terms: contractor, grantee, subrecipient, awardee
- Contract terms: FAR, DFARS, task order, contract vehicle, BPA, IDIQ
- Compliance: NIST, RMF, POA&M, SSP, SAR, CAP
- Oversight: DCAA, OIG, GAO, inspector general
State/Local Government
- Terms: state, county, municipal, local government, tribal
- Programs: grants.gov, federal funding, pass-through, SLFRF
- Compliance: Single Audit, 2 CFR 200, Uniform Guidance
System Categorization Context
FIPS 199 categorization indicators:
- Impact terms: confidentiality, integrity, availability, CIA
- Levels: low impact, moderate impact, high impact
- Categories: national security, PII, financial, law enforcement
- Documents: system security plan, SSP, contingency plan, BIA
Personnel Context
Federal personnel data receives elevated severity:
- HR terms: SF-86, OPM, personnel file, background investigation
- Clearance: security clearance, TS, SCI, Q clearance, L clearance
- Benefits: FEHB, TSP, retirement, pension, FERS, CSRS
- Records: eOPF, employee record, personnel action, SF-50
Example Context Flow
Finding: SSN "123-45-6789"
Context: "OPM background investigation SF-86 supplemental"
Result: Critical violation (PII in federal personnel context - high sensitivity)
Finding: Email list with .gov addresses
Context: "DHS employee directory for FISMA-moderate system"
Result: High violation (federal employee PII requiring protection)
Violation Metadata
Each FISMA violation includes:
{
"policy": "FISMA",
"severity": "critical",
"fips_199_level": "moderate",
"nist_control": "AC-3",
"control_family": "Access Control",
"rmf_step": "assess"
}
Compliance Reporting
FISMA Metrics
-- FISMA findings by severity for reporting
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'FISMA'
GROUP BY severity
ORDER BY count DESC;
POA&M Support
Query findings for Plan of Action and Milestones:
-- Critical findings for POA&M
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'FISMA'
AND severity IN ('critical', 'high')
ORDER BY timestamp DESC;
Best Practices
By Impact Level
Low Impact:
- Monitor for basic data exposure
- Focus on public-facing system boundaries
- Annual assessment cycle
Moderate Impact:
- Enable full PII detection
- Monitor for CUI spillage
- Regular compliance reporting
- Quarterly POA&M updates
High Impact:
- Strict alerting on any detection
- Real-time incident response
- Enhanced audit trail integration
- Weekly security status reporting
RMF Step-by-Step Integration
Step 1 - Categorize:
Use Aquilon DLP to support system categorization:
- Discover data types stored and processed
- Identify PII, CUI, and sensitive data locations
- Document information types for FIPS 199 assessment
- Generate evidence for categorization decision
Step 2 - Select:
Map DLP findings to control requirements:
- AC-3 (Access Enforcement): Unauthorized access detection
- MP-2 (Media Access): Sensitive data on removable media
- SC-28 (Protection of Information at Rest): Unencrypted sensitive data
- SI-4 (Information System Monitoring): DLP as monitoring control
Step 3 - Implement:
Deploy DLP as part of control implementation:
- Configure policies matching system impact level
- Integrate alerts with security operations
- Document DLP coverage in SSP
Step 4 - Assess:
Use findings for control assessment:
- Generate reports for Security Assessment Report (SAR)
- Provide evidence of control effectiveness
- Document findings requiring POA&M entries
Step 5 - Authorize:
Include DLP in authorization package:
- Control implementation evidence
- Monitoring capability documentation
- Risk acceptance for any open findings
Step 6 - Monitor:
Continuous monitoring with Aquilon:
- Ongoing detection of new exposures
- Trend analysis for ISCM reporting
- POA&M remediation verification
ATO Package Documentation
Generate DLP reports for authorization packages:
Required Documentation:
- System boundary sensitive data inventory
- Control implementation evidence (AC, MP, SC, SI families)
- Monitoring capability description
- Incident detection and response integration
Assessment Evidence:
- Historical finding trends
- Remediation timelines
- False positive rates and tuning
Annual FISMA Reporting
Aquilon findings support FISMA metrics including:
- Number of systems with sensitive PII
- Data spillage incidents
- Remediation timelines
- Control effectiveness measures
- CIO FISMA metrics support
Related Resources
- Compliance Overview
- CUI - CUI detection details
- FedRAMP - Cloud service authorization
- Configuration Guide