FISMA Compliance with Netwrix Auditor

Integrated FISMA compliance solution for federal agencies

The Federal Information Act of 2002 (FISMA), enacted as Title III of the E-Government Act of 2002, was established to address the importance of information security related to both the economic and national security interests of the United States. Any Federal agency, its subcontractors, service providers and any organizations that operate IT systems on behalf of Federal agencies must be compliant with FISMA regulation.

To establish FISMA compliance, organizations first determine the security category of their information system in accordance with FIPS Publication 199, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls described in NIST Special Publication 800-53. Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in NIST SP 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.

FISMA (NIST SP 800-53) requirements overview.

The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems.

Netwrix assists with implementation and validation of the selected controls from the following security domains:

Access Control, Audit and Accountability, Security Assessment and Authorization, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personal Security, Risk Assessment, System and Communications Protection, System and Information Integrity

Netwrix provides minimal or zero assistance with the following domains:

Awareness and Training, Physical and Environmental Protection, Planning, System and Services Acquisition

"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/

The table below summarizes relevant controls from various families of NIST SP 800-53 that Netwrix assists with. More detailed reference guide is available here: FISMA Compliance with Netwrix

Security Controls Netwrix Provides
FAMILY: ACCESS CONTROL
AC-2 ACCOUNT MANAGEMENT Audit all information system accounts creation, removal, enablement, disablement and modifications, for compliance with organization-defined procedures and conditions. Configurable email alerts and daily reports on relevant activities to ensure FISMA compliance.
AC-3 ACCESS ENFORCEMENT
AC-5 SEPARATION OF DUTIES
Auditing of user access rights, files folders and their permissions across the entire IT infrastructure. Validate that all changes are done in accordance with internal policies. Audit state and changes to password and other account policies.
AC-6 LEAST PRIVILEGE Audit all privileged accounts activities and crosscheck with internal policies to determine the validity of given privileges and prevent and mitigate malicious and risky activities. (Filter by groups with privileged members)
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
Audit logon activities, including unsuccessful attempts. Alerts and reports on account lockouts.

AC-8 SYSTEM USE NOTIFICATION
For sensitive systems and/or selected user accounts screen activity video recording feature of Netwrix Auditor can be used with customized dialog notification on logon.
AC-11 SESSION LOCK
AC-12 SESSION TERMINATION
Audit state and changes to AD “Screen saver timeout” policy, Remote Desktop session timeout, and other policies.
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION Audit all activities of users across entire IT infrastructure to determine/prove validity of changes.
AC-17 REMOTE ACCESS In addition to the monitoring of the states and changes to related policies (see AC-11, AC-12 above), audit all remote desktop sessions.
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE CONTENT
AC-23 DATA MINING PROTECTION
To ensure FISMA compliance audit access and modifications to the data stored in MS SQL, Fileservers and SharePoint.
FAMILY: AUDIT AND ACCOUNTABILITY
AU-2 AUDIT EVENTS
AU-3 CONTENT OF AUDIT RECORDS
AU-4 AUDIT STORAGE CAPACITY
AU-7 AUDIT REDUCTION AND REPORT GENERATION
AU-8 TIME STAMPS
AU-9 PROTECTION OF AUDIT INFORMATION
AU-11 AUDIT RECORD RETENTION
AU-12 AUDIT GENERATION
Variety of reports and features can be used for successful FISMA compliance audit. Netwrix Auditor collects configurations states, captures changes and access events, provides complete audit trail for report and analysis, including who, when, where, what data with before and after values, consolidated within two-tiered (file-based and SQL database) solution, storing of up to and beyond 10 years of audit data. Built-in archiving capabilities with configurable retention policies.

AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
Netwrix Auditor will deliver daily summary report with indication if there were any failures of audit collecting, processing, etc.

AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
In addition to over 200 built-in reports with filtering capabilities that can be reviewed for specific purposes, simplify burden of systematic reviews of audit trails by using Change Review History mechanism of Netwrix Auditor. Real-time alerts for AD and Windows Server can be configured to provide timely notifications.

AU-10 NON-REPUDIATION
Utilize variety of ready to use reports of user activities across all audited systems. Built-in reports for every particular system, for all changes or specific activity. Apply report filtering to increase relevancy of events.

AU-14 SESSION AUDIT

Use screen activity video recording for critical systems and high privileged users.
FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION
CA-2 SECURITY ASSESSMENTS Variety of reports can be used in order to determine effectiveness of security controls and in support of security assessment.
CA-7 CONTINUOUS MONITORING
CA-8 PENETRATION TESTING
Configure Netwrix Auditor auditing policies according to organization-defined metrics and strategies. Validate audit trails by crosschecking against security baselines to assess conformance with FISMA compliance requirements. Verify that only authorized use of systems by authorized personnel is taking place.
FAMILY: CONFIGURATION MANAGEMENT
CM-2 BASELINE CONFIGURATION
CM-6 CONFIGURATION SETTINGS
Compare organization-defined baselines to configuration snapshots and track changes for deviations/violations in Active Directory and Fileservers. Some types of unauthorized changes can be automatically rolled back to their original states.

CM-3 CONFIGURATION CHANGE CONTROL
Review audit trail of configuration changes to IT infrastructure components. Use reports with all changes or choose only relevant ones. Setup retention policies for audit storage. Configure alerts and subscribe for reports on critical organization-defined changes.
CM-4 SECURITY IMPACT ANALYSIS
CM-5 ACCESS RESTRICTIONS FOR CHANGE
Audit all changes across the entire IT infrastructure to validate that only authorized users allowed to make sensitive changes.
CM-7 LEAST FUNCTIONALITY
CM-9 CONFIGURATION MANAGEMENT PLAN
CM-10 SOFTWARE USAGE RESTRICTIONS
CM-11 USER-INSTALLED SOFTWARE
Some aspects of these controls can be assisted with variety of reports by auditing for violations of properly configured systems. Including Group and Local policies changes, access and permissions modifications, workstations audit, registry monitoring, and other configuration assets that can be critical for maintaining FISMA compliance.
FAMILY: CONTINGENCY PLANNING
CP-4 CONTINGENCY PLAN TESTING
CP-6 ALTERNATE STORAGE SITE
CP-12 SAFE MODE
CP-13 ALTERNATIVE SECURITY MECHANISMS
Test IT systems in various modes of operations in accordance with FISMA compliance and analyze audit trails for incidents and other problems to validate effectiveness of the system functions.
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION In addition to the analysis of historic data on configuration states and changes to Active Directory, use built-in restore feature with object-level and attribute-level recovery wizard.
FAMILY: IDENTIFICATION AND AUTHENTICATION
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-4 IDENTIFIER MANAGEMENT
IA-5 AUTHENTICATOR MANAGEMENT
IA-6 AUTHENTICATOR FEEDBACK
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
Full auditing of user accounts state, creations, deletions and modifications in Active Directory, SQL Server, Windows server to validate conformance with NIST SP 800-53 guidelines and organization-defined requirements to support FISMA compliance. Auditing of password policies and changes. Automatic password expiration notifications. Password management with challenge-response system.
FAMILY: INCIDENT RESPONSE
IR-4 INCIDENT HANDLING Monitor systems operations, and use on-demand reporting to perform root cause analysis of incidents
IR-5 INCIDENT MONITORING Audit and analyze collected events and states.
IR-6 INCIDENT REPORTING Utilize scheduled reporting and real-time alerts.
IR-9 INFORMATION SPILLAGE RESPONSE Auditing of all data creations to identify violations.
FAMILY: MAINTENANCE
MA-2 CONTROLLED MAINTENANCE Capture audit trail of activities during maintenance and validate proper systems functionality afterward
MA-4 NONLOCAL MAINTENANCE Audit remote access sessions and activities
FAMILY: MEDIA PROTECTION
MP-2 MEDIA ACCESS
MP-7 MEDIA USE
Audit access and changes to content on Fileservers and modifications in SQL and SharePoint for violations
FAMILY: PERSONNEL SECURITY
PS-4 PERSONNEL TERMINATION Revocation of authenticators/credentials associated with the individual
PS-5 PERSONNEL TRANSFER Access authorization modifications audit
FAMILY: RISK ASSESSMENT
RA-3 RISK ASSESSMENT
RA-5 VULNERABILITY SCANNING
Monitor for unauthorized access, changes and related consequences, use audit trail for reporting
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
SC-2 APPLICATION PARTITIONING
SC-3 SECURITY FUNCTION ISOLATION
Audit of privileged users, access control and systems management activities.
SC-5 DENIAL OF SERVICE PROTECTION Monitor for user restrictions violations and irregularities in systems function
SC-6 RESOURCE AVAILABILITY Monitor for interruptions of user access, activities, and systems availability
FAMILY: SYSTEM AND INFORMATION INTEGRITY
SI-4 INFORMATION SYSTEM MONITORING Monitor systems for illegal access and suspicious activities, audit privileged users
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES Use alerts for violations and compromise indicators, notifications and reports
SI-6 SECURITY FUNCTION VERIFICATION Verify correctness of systems functioning by looking for deviations from baseline
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY Monitor critical changes to the systems, workstations registry audit
SI-12 INFORMATION HANDLING AND RETENTION Audit all operations with data for compliance with policies and regulations
Download Free Trial One-to-One Demo Request Quote

See how Netwrix Auditor helps meet requirements of other regulations, such as PCI, HIPAA, SOX and GLBA.

Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.