How to Pick the Right Solution for FISMA SI-7 Compliance

Image

It can be hard to know how to best allocate your federal agency’s resources and talent to meet FISMA compliance, and a big part of that challenge is feeling confident that you’re choosing the right cybersecurity and compliance reporting solution.

A Few FISMA SI-7 Basics

So what sorts of specifications do you need to look for, and why? While the Federal Information Security Management Act (FISMA) is an important part of keeping governmental systems safe from cyberthreats, it’s not the most intuitive set of guidelines to follow. That’s especially true for one of the most difficult security controls agencies must adhere to NIST SP 800-53 SI-7. The SI-7 (“SI” meaning “System Information and Integrity”) control instructs agencies on software, firmware and information integrity. As of 2017’s executive order on cybersecurity states, “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.” Government systems are categorized as low, moderate or high sensitivity. All controls are mandatory for everyone, but the set of mandatory controls gets larger for moderate- or high-sensitivity agencies. The subset of SI-7 controls that are most relevant to the largest numbers of agencies are 1, 2, 5 and 7.

SI-7.1: Integrity Checks

As identified in NIST SP 800-53, “Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.”

Questions for your cybersecurity vendor:

• Does the solution cover firmware?
• Does it cover the full scope and range of assets, including Windows, Unix, Linux, routers, switches, firewalls and storage devices?
• In environments with rapid provisioning, does the solution integrate with virtualization, cloud and DevOps tools so that it’s present when a new system is spun up?
• Can it detect the presence of a new threat (like a new hash) without having to rescan?

SI-7.2: Automated Notifications of Integrity Violations

NIST SP 800-53 states, “The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers.”

Questions for your cybersecurity vendor:

• Can it detect and alert on changes in real-time? Periodic scans can miss changes that are reverted back.
• Can it filter expected, accepted and routine change, so as to only alert on changes that need to be investigated?
• Can it target changes that have been identified by MITRE ATT&CK or other cybercrime frameworks, so as to proactively identify changes of greatest concern?
• Is the system capable of tracking ownership, mission, management, FISMA group and location for each asset, so as to be able to report and alert appropriately?

SI-7.5: Automated Response to Integrity Violations

As identified in NIST SP 800-53, “Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur.”

Questions for your cybersecurity vendor:

• Does the solution have the ability to take action on the endpoint?
• Can the solution create a ticket in an ITSM system (like Remedy or ServiceNow) when required?
• Can the solution be instructed to act completely automatically—to quarantine or otherwise disable a system—in the case of serious anomalies (such as the appearance of a new executable)?
• Can the solution integrate with multiple sources of threat intelligence datastreams to detect and identify malware and act accordingly?

SI-7.7: Integration of Detection and Response

NIST SP 800-53 states, “This control enhancement helps to ensure that detected events are tracked, monitored, corrected and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.”

Questions for your cybersecurity vendor:

• Does the solution create an initial baseline of each asset? Are all monitored changes kept so that it’s possible to review the history of changes over time?
• Can it compare the state of an element at one time to its state at an earlier or later time?
• Can it present changes in a side-by-side format that readily enables the viewer to see insertions, deletions and modifications from one point in time to another?
• Does the system present the information in a way that readily supports documentation for further security review or legal action?

Essential Traits of a Successful FISMA SI-7 Compliance Solution

To comply with SI-7, agencies must find a tool that not only does integrity monitoring, but also automates notifications and responses to violations and then keeps track of those violations. That’s a lot to ask of a single solution, although possible if it has a robust enough integrity monitoring toolkit. Each and every data breach can be tracked to a file or configuration change. So if you can detect each new unexpected change as it occurs, you can remediate it and return your system back to a secure, hardened baseline. This FIM solution should provide you with:

• Visibility into any change, authorized or unauthorized, that introduces risk to your system (SI-7.1)
• Real-time alerts on file and configuration changes (SI-7.2)
• Actionable event workflows that can isolate or shut down non-compliant systems (SI-7.5)
• A suite of event collection, correlation and normalization techniques (SI-7.7)

To learn more cybersecurity and compliance best practices, download the free Tripwire white paper "Security Fundamentals for Federal Agencies."