Tools to tame the FISMA tiger

Information security managers in the federal government have their hands full trying to meet the requirements of the Federal Information Security Management Act (FISMA) of 2002. But tools to make the task easier and enhance security are improving, experts say.

FISMA requires federal agencies to make information and information systems more secure, and it encourages government agencies to buy security management products, said John Pescatore, vice president of Internet security research at Gartner.

“FISMA is providing the stick that security managers can use to say, ‘I need this security tool to improve my security procedures because of FISMA,’ ” he said.

Information security managers want tools that will help them meet compliance demands and keep data safe, Pescatore said. He tells his government clients that FISMA is about protecting data and reporting how they did it, not doing what they always do and providing data in the right format.

The increasing number of FISMA-oriented tools provides an automated way to sift through mountains of data to provide accurate, detailed, actionable information to assist with compliance, said Bill Kurtz, federal account manager at McAfee.

The products assess security, recommend remediations and audit agency progress to enact the fixes, Kurtz said. They schedule automatic assessments and notify users when to do manual updates.

Agencies need help managing the many compliance-related documents that show how organizations meet FISMA standards and track evidence that they did, said Patrick McBride, vice president of compliance solutions at Scalable Software.

Most FISMA tools address only one element, such as vulnerability management, said Kimberly Baker, vice president of federal operations at Internet Security Systems (ISS). Agencies must view their entire security situation and build a tailored solution to meet it, she said.

Security managers responsible for FISMA set up their products separately, assign their relative importance and manually fix vulnerabilities, Kurtz said.

The majority of FISMA tools do not automatically remediate the problems they find, Pescatore said. People won’t trust automatic remediation until they are sure that the security fixes won’t break legitimate applications, he said.

Tools cannot guarantee compliance but they can help agencies inventory systems, prioritize security activities and evaluate how the agency would fare in a FISMA audit, Kurtz said. Those actions can save organizations time and help them react to security incidents faster, he said.

Most existing FISMA compliance tools are security products labeled for FISMA use and may have some new elements, Pescatore said. For example, McAfee’s Foundstone product maps security to minimum FISMA guidelines, Kurtz said. It is a to-do list for using existing McAfee products.

ISS has only created one new product for FISMA, Baker said. It is a module that handles the Defense Department’s Information Assurance Vulnerability Assessment format, which ties operational security to FISMA requirements, for its SiteProtector Centralized Management System.

Some vendors are doing buff and polish jobs on existing products to get access to budget money, McBride said. Scalable Software has added three new FISMA-oriented modules to its Command Center Federal product: certification and accreditation, plans of action and milestones management, and assessment management.

Complete FISMA solutions will come, but everything is à la carte for now, Baker said. Clint Kreitner, chief executive officer at the Center for Internet Security, said an all-in-one FISMA compliance application that automatically remediates and evaluates won’t be likely until vendors develop software that operates reliably with all security features.

Such products fall into a number of categories, Pescatore said. For example, vulnerability-management tools with modules for reporting the data in the correct FISMA format gather vulnerability assessment data and compare with various requirements.

Enterprise resource planning solutions inventory information technology systems and compare the results with compliance needs. Such business dashboards are not strong security tools, but they are essential because agencies must know what’s on their networks if they are going to secure their systems or comply with FISMA, Pescatore said.

Government buyers should look for tools that fall in four key categories and include FISMA reporting options: vulnerability management, intrusion prevention, network access control, and identity and access management, he said.

— Michael Arnone