We are pleased to announce FISMA Readiness for a wider swath of products that ships with IBM Software Hub 5.2.0. FISMA (Federal Information Security Modernization Act) mandates all federal agencies to develop, document, and implement agency-wide information security programs to protect their information and operations. IBM Software Hub’s FISMA Ready portfolio now includes Data Fabric products beside the watsonx products that has been available on AWS GovCloud Catalog for a while. To boot, we have a reference architecture and platform, which is AWS GovCloud, where these products can be deployed and run under the Bring Your Own License (BYOL) program. You can help your Federal customer to ATO these products for production use on AWS GovCloud or on another client managed on-premises or cloud infrastructure. This includes at any security level (CUI, Level 4/5, Secret and above).
IBM FISMA Readiness Program
IBM FISMA Readiness Program is a workstream for ensuring IBM Software products can comply with certain US governement regulatory requirements. IBM products are evaluated against FISMA requirements and found either to directly meet the requirements or be updated/modified/configured such that it meets the requirement. Product teams implement necessary code and configuration changes. Product teams then ensures that the products can be deployed and run on the referenced architecture, which is AWS GovCloud.
These are the main phases in the program -
1. Implement regulatory compliance table stakes
2. Develop System Security Plan (SSP) detailing NIST 800-53 control implementation
3. Validate product deployment on AWS
4. Complete AWS Catalog listing (AWS Commercial Cloud + AWS GovCloud)
Level Upped "Designed by Security"
IBM Security and Privacy by Design (SPbD@IBM), which reflects IBM’s commitment to security and privacy, is a cornerstone to IBM’s software development practices. But did you know that SPbD@IBM is influenced by the United States National Institute of Standards and Technology (NIST’s) Secure Software Development Framework (SSDF)? SSDF principles and practices are aligned with FISMA requirements. As part of FISMA Readiness delivery, these products incorporated additional functional and non-functional requirements to software development and delivery of the afore mentioned products.
For reference, IBM Software Compliance Table Stakes are as follows -
- User Authentication using Personal Identity Verification (PIV) Credential and Common Access Card and Role based access control
- FIPS 140-2 and/or 140-3 validated encryption
- Generation of auditable event logs
- Clean security scan
- Ability to support IPv6 when required
- Accessibility
To be sure, some of the above requirements are not a one time evaluation or validation work, but it stipulates a requirement and commitment of continuous delivery and update from product teams. For instance, software security vulnerability remediation and support FIPS validated modules in encryption. These two requirements will need to be met continually (i.e, delivered thru product update), even after a customer reached authorization/ATO stage.
Software Hub "FISMA Ready" Portfolio
At the time of Software Hub 5.2 GA, following "Data Fabric" products became "FISMA Ready" -
- Software Hub Platform
- Analytics Engine powered by Apache Spark
- Data Product Hub
- IBM Knowledge Catalog including Data Privacy, Manta Lineage
- Watson Studio including all premium components
- Watson Machine Learning
Following "watsonx" products were "FISMA Ready", as announced previously -
- watsonx.ai
- watsonx.data
- watsonx.governance
Final Thoughts
IBM Software Hub 5.2 update reflects IBM’s strategic focus on delivering integrated, secure AI and data services that meet federal compliance standards. IBM Software Hub 5.2 introduced a robust suite of "FISMA Ready" products, reinforcing IBM’s commitment to secure, compliant solutions for U.S. federal agencies and contractors. The release includes enhanced support for both Data Fabric and watsonx product lines.