FISMA

The E-Government Act, passed into law in December 2002, recognized that information security is essential to protect the nation's economic and national security interests. Title III of the E-Government Act, the Federal Information Security Management Act (FISMA), requires United States government agencies to develop, document and implement programs to protect the confidentiality, integrity and availability of IT systems.

At the core of FISMA are NIST special publications 800-53 and 800-92. These publications identify how government agencies will make use of security controls to ensure the confidentiality, integrity and availability of their IT computing resources.

FISMA is categorized into different control names, such as AC-7 Unsuccessful Login Attempts or SI-3 Malicious Code Protection. A majority of the FISMA requirements can be monitored or audited by leveraging VSI's Unified Security Monitoring solution, often in multiple ways.

As an example, requirement AC-7 Unsuccessful Login Attempts can be monitored both with Nessus and the Log Correlation Engine (LCE). Nessus configuration audit policies can ensure that systems are correctly logging unsuccessful login attempts. The LCE can also be used to log all successful logins, login failures and generate appropriate alerts. LCE login failures are normalized across all applications and network devices, not just operating systems.