FISMA Compliance with Netwrix Auditor

Integrated FISMA compliance solution for federal agencies

What is FISMA?

The Federal Information Act of 2002 (FISMA), enacted as Title III of the E-Government Act of 2002, was established to address the importance of information security related to both the economic and national security interests of the United States. The Act, which has forged a thorough structure by which information security controls can be judged on as based upon their effectiveness and comprehensiveness, maintains minimum security requirements and controls to be abided by all federal agencies.

"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of

How does Netwrix promote compliance to FISMA compliance regulations?

Netwrix Corporation provides a comprehensive line of auditing solutions that can be used to promote adherence to the following FISMA requirements:

Control Number Requirement Netwrix Provides
FAMILY: Access Control
CLASS: Technical
AC-2 The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts at least annually. Automated and consolidated auditing and reporting of all account management activities in Active Directory, Group Policy, Exchange, SQL server database, file server, SharePoint and virtual environment changes, as well as logon activities. Reports include information about who made changes to what accounts, when and where those changes were made. Reports include all established, activated, modified, disabled, and removed accounts, and streamline the annual review process.
AC-3 The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. Complete Active Directory, Group Policy, and file server change auditing that notifies administrators via report in any instance of user rights modifications. Reports can be used as audit trail for auditors.
AC-5 The information system enforces separation of duties through assigned access authorizations. Tracking of all user logons and separation of duties via individual user IDs to ensure clearly identifiable users at all times, even if the accounts are shared between multiple employees.
AC-7 The information system enforces a limit of X consecutive invalid access attempts by a user during a [organization-defined] time period. The information system automatically locks the account/node for an [organization-defined time period] or delays next login prompt according to [organization-defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded. Netwrix solutions minimize costs associated with implementation of strong password policies. Automated alerts sent to administrators on all account lockouts, scheduled reports are sent with all logon activities, including failed attempts, self-service password management tools allow end user to reset their passwords securely and without contacting IT help desk. Automated monitoring of policy changes capture all unauthorized changes to password policies.
AC-13 The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. Automated reports notify predetermined report recipients of all user activities and can be archived for historical review or used as comprehensive audit trail for FISMA auditors.
FAMILY: Audit and Accountability
CLASS: Technical
AU-2 The information system generates audit records for the following events: [organization-defined auditable events]. Auditing and reporting of all types of events, including login events, access control, identity management administration, file access events, and other generic events defined by organization.
AU-3 The information system produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. Complete reports include who, what, when and where each change occurred, as well as the current and new values of every system modification.
AU-5 The information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: [organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. Alerts are sent when audit log overwrite occurs or any changes in audit log overwrite policies are detected. In addition to that, all audit data is archived for a specified period of time for viewing at a later date even if the original event logs are lost.
AU-6 The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. All significant activities are audited, reported and sent in daily emails for review of any unusual activity. Extensive collection of predefined reports is available out of the box with ability to create custom reports and make them available for regular reviews.
AU-7 The information system provides an audit reduction and report generation capability. All change management solutions produce automated audit reports for email or in console viewing. The change auditing solutions remove unnecessary "noise" events that administrators deem insignificant, allowing for simplified manual review.
AU-8 The information system provides time stamps for use in audit record generation. Timestamps are available for every audited event and alert.
AU-9 The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Protection via permissions and access rights that audit information maintained by all Netwrix solutions.
AU-10 The information system provides the capability to determine whether a given individual took a particular action. Audit reports notify administrators of exactly who took what actions and made what changes or took what action.
AU-11 The organization retains audit records for [organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Reports can be archived for a specified amount of time for viewing at a later date. 10 years and more can be kept in long-term archive and quickly made available for after-the-fact investigations or security incidents.
FAMILY: Certification, Accreditation, and Security Assessments
CLASS: Management
CA-7 The organization monitors the security controls in the information system on an ongoing basis. Daily reports show all changes to security controls and policies. Many predefined reports are available to simplify the ongoing review processes.
FAMILY: Configuration Management
CLASS: Operational
CM-3 The organization authorizes, documents, and controls changes to the information system. All changes to the information system are documented and archived in easy to read audit reports that show who changed what, when, and where and show full details about all changes. Some types of unauthorized changes can be automatically rolled back to their original states.
CM-4 The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes. Convenient change monitoring capabilities, ensuring that all modifications are available for security impact analysis in an easy to understand format showing what was changed and what configuration settings existed before changes.
CM-6 The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system. Adherence to all Group Policy and event log management configuration settings. All changes to policy settings are detected and highlighted in detailed reports for granular control and enforcement policies.
FAMILY: Media Protection
CLASS: Operational
MP-2 The organization restricts access to information system media to authorized individuals. Audits and reports all file serves access and changes.
FAMILY: Personnel Security
CLASS: Operational
PS-4 The organization, upon termination of individual employment, terminates information system access, conducts exit interviews, retrieves all organizational information system-related property, and provides appropriate personnel with access to official records created by the terminated employee that are stored on organizational information systems. Automated tracking of all dormant user accounts, deactivating those that are inactive for a specified amount of time. Archiving of electronic records of communication with full-text search capabilities.
PS-7 The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance. Accurate auditing and reporting of all user events, including login activity, Active Directory modifications, and server or object access.
FAMILY: System and Information Integrity
CLASS: Operational
SI-4 The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system. Centralized collection and consolidation of all types of events, including login activity, Active Directory modifications, and server or object access to identify unauthorized use.
Download Free Trial One-to-One Demo Request Quote

See how Netwrix Auditor helps meet requirements of other regulations, such as HIPAA, GLBA, PCI and SOX.

Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.