What is FISMA and what does FISMA readiness mean?
The Federal Information Security Modernization Act (FISMA) is a U.S. law that mandates strict security standards for federal agencies and organizations handling government data. It applies to federal agencies, contractors, and private companies that work with the Government.
GDP has obtained an IBM-led readiness assessment designed to help clients meet FISMA High requirements. FISMA High includes 360 controls from NIST800-53 and many of these controls are operational in nature and only a subset apply to software products like Guardium Data Protection. This designation reinforces IBM’s commitment to proactively supporting federal agencies and contractors in securing their databases, streamlining compliance, and accelerating
deployments.
What does it mean for you?
If you are a federal agency or a contractor looking to secure your databases, meet compliance requirements, and accelerate deployments, GDP can help with that and more:
- Assuring that FISMA High can be met using Guardium Data Protection – it can help to jump-start the development of a system security plan
- GDP’s FISMA readiness assessment status means it is pre-validated to meet applicable FISMA controls, meaning saving you time, reducing audit complexity, and providing peace of mind
- Certify essential NIST SP800-53 controls for FIPS 140-2 encryption (rest and in-motion), multi-factor authentication (MFA), Audit Event Logs, Essential session activity, Error Handling and more
If you are a non-federal entity but you are among industries such as finance, healthcare, and critical infrastructure— you might still leverage NIST 800-53 controls as a foundation for your security frameworks.
What other benefits can GDP bring you?
- Helps you with achieving data compliance faster with the help of compliance tagging, prebuilt templates (HIPAA, GDPR, SOX and many more), easy-to-use workflows and long-term data retention
- Provides centralized visibility and control
- Enables you to monitor security policies and sensitive data access control, privileged user actions, change control, application user activities and security exceptions for faster remediation
Applicable NIST SP 800-53 Controls Supported by Guardium Data Protection
|
Access Control (AC)
AC-02(03) Disable Accounts
AC-03 Access Enforcement
AC-06(02) Non-privileged Access
AC-06(09) Log Use of Privileged Functions
AC-06(10) Prohibit Non-privileged Users from Executing Privileged Functions
AC-07 Unsuccessful Logon Attempts (2)
AC-10 Concurrent Session Control
AC-11 Device Lock (2)
AC-11(01) Pattern-hiding Displays
AC-12 Session Termination
AC-17(02) Protection Using Encryption
|
Identification & Authentication (IA)
IA-02 Identification & Authentication
IA-02(01) MFA for Privileged Accounts
IA-02(02) MFA for Non-privileged Accounts
IA-02(08) Access to Accounts — Replay Resistant
IA-02(12) Acceptance of PIV Credentials
IA-03 Device Identification & Authentication
IA-05 Authenticator Management
IA-05(01) Password-based Authentication (4)
IA-06 Authentication Feedback
IA-07 Cryptographic Module Authentication
|
|
Audit & Accountability (AU)
AU-02 Event Logging (3)
AU-03 Content of Audit Records (6)
AU-05 Response to Audit Failures (2)
AU-07(01) Automatic Processing
AU-08 Time Stamps (2)
AU-09 Protection of Audit Information
AU-09(04) Access by Subset of Privileged Users
AU-12 Audit Record Generation (3)
|
System and Services Acquisition (SA)
SA-04(10) Use of Approved PIV Products
SA-10 Developer Configuration Management (6)
SA-11 Developer Testing & Evaluation (5)
|
|
Assessment, Authorization, and Monitoring (CA)
CA-09 Internal System Connections (3)
|
System & Communications (SC)
SC-02 Separation of System & User Functionality
SC-08 Transmission Confidentiality & Integrity
SC-08(01) Cryptographic Protection
SC-10 Network Disconnect
SC-12 Cryptographic Key Management
SC-13 Cryptographic Protection (2)
SC-23 Session Authenticity
SC-28 Protection of Information at Rest
|
|
Configuration Management (CM)
CM-05(01) Automated Access Enforcement
|
|