FISMA / NIST 800-53 Compliance with SolarWinds Products

As a part of helping untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance. In this post, I'll outline what FISMA compliance is, we'll walk through FISMA bit-by-bit, and we'll talk about where SolarWinds products can help.

FIS-WHAT? What is FISMA? And how does NIST play into it? And FIPS?

What it actually means to take on what's commonly referred to as "FISMA Compliance" is described in several NIST (National Institute of Standards and Technology) publications. It's pretty impressive the amount of NIST publications out there, but there's really only a few we're interested in. A couple of these are FIPS (Federal Information Processing Standard) publications - usually when we think of FIPS we think of encryption, but here we're mostly focused on risk analysis.

1. NIST 800-53: This is the main "FISMA Compliance" publication. This describes what controls need to be applied to different systems.
2. FIPS 199 and
3. FIPS 200: These two documents describe how to perform risk analysis and categorization for systems on the network. You'll need this categorization when you actually go to implement 800-53.

Here's a great summary, though wordy, of how all of that fits together:

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

Okay, okay, how about the super TL;DR version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!

Navigating and Implementing NIST 800-53 - High Level

We'll leave the whole exercise of assigning risk up to you, since it'll be different for each environment. Once you've done that, as you walk through the 800-53 requirements, you'll see different controls that need to be applied at different levels. Generally, you'll have to comply with the "document" and "policy" controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.

Chapter 2 of NIST 800-53 (top of page 9) has a great breakdown of the steps that need to be applied. Of interest to us when it comes to where SolarWinds products can help are:

• Step 3: Implement controls
  • Several products, including Network Configuration Manager (NCM), Patch Manager, and others, can be used to satisfy controls OR help implement and manage implementation of controls
• Step 4: Assess controls are working correctly
  • Several products, including NCM, Log & Event Manager (LEM), Firewall Security Manager (FSM), and others, can be used to make sure controls have been implemented correctly.
• Step 6: Monitor
  • Lastly, several products, including LEM, Network Performance Monitor (NPM), NCM, and others, can be used to make sure that controls are working as expected, bypasses aren't attempted, and produce reports that can be used to prove it.

I'll walk through each control and identify relevant products for each category as I go, so you don't have to memorize them all just yet.

Key Out of the Box Content for NCM and LEM

Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 & Step 6), there is out of the box content included in NCM and LEM that is designed to help:

1. For LEM:
   1. There are hundreds of out of the box reports, many of which are categorized for FISMA specifically. These reports really help address the Assess/Monitor by helping look for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the LEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.
   2. In addition, LEM includes dozens of correlation rules categorized for different compliance initiatives that can help - and be quickly enabled. From the LEM Console, navigate to Build > Rules, and either launch the Add Rule Wizard or navigate to the categories on the bottom left. I'd recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.
2. For NCM:
   1. There are several templates that can be loaded from Thwack's Content Exchange to help:
      1. NIST - Services.xml: identify services exposed on network devices
      2. NIST - Remote Access.xml: identify remote access enabled on network devices
      3. NIST - Management.xml: identify management protocols used on network devices
      4. NIST - Access-Lists.xml: identify key access control lists that should be present
   2. To enable these templates from NCM, click CONFIGS, then NCM Settings, then Device Templates under Advanced. Click Shared Templates on thwack, browse to the NIST templates above (easiest to search using "NIST"), select them, and click Import. Head back to CONFIGS, then Compliance, and you should see them listed under the NIST category.

Control-by-Control Details

You might want to get a cup of coffee (or tea) while you read through this, as there's a lot here. The entirety of Appendix F of 800-53 actually describes the controls and implementing them in detail. I'm going to skip over a lot of them since they don't apply to implementing SolarWinds products, but I'll include a description for each and more details where they are especially relevant. Got your warm beverage? Let's get going.

• AC-X: Access Control
  • General Notes: In general, there's a few areas our products can help, but a lot of these controls will be implemented at the policy or device level. For some of these, NCM can help you distribute configuration or identify violations where it comes to network devices; LEM can help audit and monitor for potential changes.
  • Of interest:
    • AC-2: Account Management:
      • You could use LEM to identify accounts that are created outside of these controls - e.g. service accounts being added to unexpected groups - either in real-time or via reports.
      • You could use LEM to audit when passwords were changed on accounts, when users were added to groups, etc - either in real-time or via reports.
      • LEM can help satisfy AU-2(2): Automated Auditing for creation, modification, enabling, disabling, and removal, either in real-time or via reports.
      • LEM can assist with AU2(12): Atypical Usage by looking for logon activity or patterns that are outside your environment norms, either in real-time or via reports.
    • AC-4: Information Flow Enforcement
    • LEM can help with AC-4(17) - ensure local authentication is not used by auditing for local authentication activity on systems (logons not to the domain), either in real-time or via reports.
    • AC-6: Least Privilege
      • LEM can help audit where things deviate from least privilege - e.g. when an unexpected user accesses certain files, systems, or commands, either in real-time or via reports.
      • NCM can help audit device policies for existing privileged users as things change, and roll out configuration changes if necessary.
    • AC-7: Unsuccessful Logon Attempts
      • Usually this is implemented in IAM/Domain/system policy, but you can use LEM to confirm this policy is being enforced and see how frequently it is used, generally via reports/historical analysis.
    • AC-8: System Use Notification
    • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
    • AC-9: Previous Logon (Access) Notification
      • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
    • AC-10: Concurrent Session Control
    • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
    • AC-11: Session Lock
    • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
    • AC-12: Session Termination
    • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
    • AC-16: Security Attributes
    • Depending on how controls are implemented, it's possible that LEM can help identify when things deviate from expected policy, either in real-time or via reports.
    • AC-17: Remote Access
      • LEM can help audit/monitor remote access, but not implement controls. LEM can also help audit where remote access is being used outside of expected controls (e.g. controls are being bypassed, or attempts to bypass are being made). As usual, this can be done either in real-time or via reports.
        • Explicitly, LEM can help with AC-17(1) - automated monitoring / control
      • NCM can help audit where and how remote access is being used across network devices, identify violations, and potentially roll out policy changes if necessary.
    • AC-19: Access Control for Mobile Devices
      • You may be able to use User Device Tracker (UDT) to detect usage of devices that are in those classified networks/facilities, and possibly also use LEM to identify authentication from unexpected users or devices.
    • AC-20: Use of External Information Systems
      • LEM can help audit AC-20(2) and AC-20(3) - use of portable storage devices and personal devices with USB-Defender when policy is bypassed/ignored.
    • AC-23: Data Mining Protection
      • You may be able to use LEM with SQL Auditor or Database Performance Analyzer (DPA) to identify when large queries or unexpected activity is being done to a database.
• AT-X: Awareness Training
• AU-X: Audit and Accountability
  • General Notes: A lot of this set of controls is about what data you might feed into a system like LEM and how that data needs to be preserved. LEM can help satisfy some controls directly. Some of the comments below are about how LEM treats relevant data within the controls, should be implemented to satisfy the controls, or satisfies these requirements specifically.
    • A really good note from AU-6(10) to keep in mind: remember that you can adjust audit levels depending on organizational needs and risks changing! You don't have to just enable the firehose.
  • Of Interest:
    • AU-2: Audit Events
      • LEM helps serve this, but this control is about what you feed into LEM.
    • AU-3: Content of Audit Records
      • Again, LEM stores this data, but generally this is up to logging sources. Where we normalize data, we preserve these fields.
      • AU-3(2) - Centralized Management of Planned Audit Record Content - about automation. At a low level, you would serve with tools like NCM (for devices), or Group Policy, but LEM can play a factor in automating configuration to ensure the right data is captured from similar systems with connector profiles.
    • AU-4: Audit Storage Capacity
      • Depending on your storage requirements you would need to ensure LEM has enough storage capacity to meet your needs, and can implement archiving as well.
    • AU-5: Audit Processing Failures
      • LEM can generate events when agents go offline, when there's an issue storing or processing data, when running out of disk space, and on behalf of other systems when audit logs are cleared, when there are hardware issues we can detect via log data
    • AU-6: Audit Review, Analysis, and Reporting
      • LEM satisfies this requirement, up to you to decide which systems need to be audited and for what, and ensure the required data is logged for collection
      • Correlation with some data sources (e.g. "non-technical sources" in AU-6(9)) may have to be a manual process done as a part of investigation.
    • AU-7: Audit Reduction and Report Generation
      • LEM satisfies this requirement
    • AU-8: Time Stamps
      • LEM satisfies this requirement (note - we will use timestamps provided by log sources as well, but may only be down to the second)
    • AU-9: Protection of Audit Information
      • LEM satisfies this requirement (be sure to reference our earlier post: Log & Event Manager Appliance Security and Data Protection)
    • AU-10: Non-repudiation
      • For data stored and accessed in LEM, LEM satisfies this requirement
    • AU-11: Audit Record Retention
      • Depending on your retention requirements, you'd need to ensure LEM has enough storage capacity to meet your needs
    • AU-12: Audit Generation
      • LEM helps satisfy this requirement
    • AU-14: Session Audit
    • With AU-14(3), you may be able to satisfy some requirements with DameWare.
    • AU-15: Alternate Audit Capability
      • You may want to set up backup logging for devices that syslog, or architect LEM in such a way that you can go to point systems or syslog servers or servers directly to ensure (prove) you can still access data.
    • AU-16: Cross-Organizational Auditing
      • Potentially, you can use LEM to foster cross-organizational auditing (exporting, providing limited access, etc)
• CA-X: Security Assessment and Authorization
  • General Notes: for the most part, this isn't an area we can help support, but Continuous Monitoring does fall under this area.
  • Of Interest:
    • CA-7: Continuous Monitoring
      • LEM can help facilitate continuous monitoring (correlating security data, alerting, reporting). We also find many federal government customers utilizing NPM, Server & Application Monitor (SAM), and other parts of our monitoring suite to support enterprise-wide continuous monitoring.
• CM-X: Configuration Management
  • General Notes: A few products can help here, but primarily NCM when it comes to network devices. Patch Manager and LEM can also pitch in in a few key areas.
  • Of Interest:
    • CM-2: Baseline configuration
      • For devices, NCM (and partially FSM) can help establish and automate comparing configs to a baseline, and retaining configs.
    • CM-3: Configuration Change Control
      • For devices, NCM (and partially FSM) can help test/validate/document, automate changes
    • CM-5: Access Restrictions for Change
      • You may be able to use LEM to audit when changes are made depending on components and policies actually changed. NCM for devices and things like dual authorization.
    • CM-6: Configuration Settings
      • CM-6(1) - automated central management - use NCM for network devices.
      • CM-6(2) - NCM can help for devices, and LEM can potentially alert on relevant events in real-time.
    • CM-7: Least Functionality
      • LEM can help audit when unauthorized software and programs are being executed.
    • CM-8: Information System Component Inventory
      • Patch Manager can help audit software and system status.
    • CM-10: Software Usage Restrictions
      • You can use LEM to audit when P2P and other software is used in general, and Patch Manager to audit what's installed on a system, but it may not ultimately be perfect.
    • CM-11: User Installed Software
      • You can use LEM to audit when much software is being installed, and Patch Manager to know what's on a system.
• CP-X: Contingency Planning
• IA-X: Identification and Authentication
• IR-X: Incident Response
  • General Notes: For the most part, LEM can help when it comes to incident generation and investigation, and also leveraging active response can provide you in-the-moment capabilities to deal with incidents as they occur.
  • Of Interest:
    • IR-4: Incident Handling
      • LEM can support this - including IR-4(4) information correlation, IR-4(5) automatic disabling of information system, and IR-4(9) dynamic response capability.
    • IR-5: Incident Monitoring
      • LEM may generate incidents from correlated activity, and this information can be tracked and stored (reports produced, alerts sent, etc).
    • IR-6: Incident Reporting
      • LEM can help support IR-6(1) - automated reporting to report correlated incidents detected from within LEM. (Where other SW products are used to detect and generate incidents, this is also generally true of them.)
• MA-X: System Maintenance
  • General Notes: NCM is a key player here to help with controlling and managing approvals where it comes to network devices. LEM can help alert when stuff just doesn't seem according to expected maintenance policies.
  • Of Interest:
    • MA-2: Controlled Maintenance
      • NCM can help with MA-2(2) automated maintenance for network devices, and LEM can help audit when maintenance is taking place outside of expected maintenance windows.
    • MA-4: Nonlocal Maintenance
      • LEM can help audit MA-4(1) - auditing and review of nonlocal maintenance.
      • NCM can help with MA-4(5) - approvals and notifications - when it comes to network devices.
• MP-X: Media Protection
  • General Notes: Most of this isn't relevant when it comes to SolarWinds products, but there's one area when it comes to removable devices where LEM's USB-Defender can help.
  • Of Interest:
    • MP-2: Media Access
      • LEM's USB-Defender can help with the USB removable media component of this.
• PE-X: Physical & Environmental Protection
• PL-X: Security Planning
  • General Notes: Several of the mentioned controls are those which may be supported by LEM, which can be used to centrally manage auditing and monitoring, especially within PL-9. Also interesting when it comes to PL-8 is mention of defense-in-depth techniques.
• PS-X: Personnel Security
  • General Notes: A lot of this is external and policy-related, but think about using LEM to ensure what should happen did (i.e. Trust, But Verify).
  • Of Interest:
    • PS-4: Personnel Termination
    • May use LEM to audit usage of credentials and ensure attempts to use them do not continue after users are terminated.
    • PS-7: Third Party Personnel Security
      • May use LEM to audit usage of third party credentials and ensure attempts to use them do not continue after users are terminated
• RA-X: Risk Assessment
  • General Notes: There's a lot of policy and procedure here, and really only one area where LEM and Patch Manager especially can help.
  • Of Interest:
    • RA-5: Vulnerability Scanning
      • Can use Patch Manager to assess vulnerable systems by missing patches
        • RA-5(1) Update Tool Capability and RA-5(2) Update by Frequency/Prior to New Scan/When Identified - Patch Manager is automatically updated with new patches
        • RA-5(6) - automated trend analysis - Patch Manager can report on patch status over time
        • RA-5(8) - review historic audit logs - Patch Manager will include audit activity of what is being patched and tracked
      • Also, you can use LEM with a vulnerability scanner to support RA-5(6) and RA-5(8) as well, along with RA-5(10) correlate scanning information.
• SA-X: System & Services Acquisition
  • General Notes: There's not a lot that applies here to us, but it's worth mentioning that SA-4(8) speaks to ensuring new systems/apps include activity that can be monitored as part of continuous monitoring planning. Think about how you're going to monitor systems as you implement them, rather than after the fact.
• SC-X: System & Communications Protection
  • General Notes: SC is a pretty fascinating set of controls, with everything from cryptography, to honeypots, to detonation chambers. There's a few places I made notes where SolarWinds products are relevant.
  • Of Interest:
    • SC-5: Denial of Service Protection
      • SC-5(3): Detection/Monitoring - you can use LEM with logs, NTA/NPM and SAM/Virtualization Manager (vMan)/Storage Resource Monitor (SRM) with systems, to help detect DoS and resource/performance.
    • SC-7: Boundary Protection
      • Monitoring communications with LEM, NTA/NPM, and NCM/FSM for the configuration side.
      • SC-7(8) - you can also use LEM to monitor attempts to bypass proxy server.
      • SC-7(10) - you can generally use LEM for monitoring here.
    • SC-19: Voice Over Internet Protocol
      • You can use NPM/NTA, and VoIP and Network Quality Manager (VNQM) to monitor usage of voice technology/ports.
    • SC-29: Heterogeneity
      • Where you have a heterogenous environment, third party monitoring and management tools like SW (e.g. Virtualization Manager, SAM, NPM, and LEM) are more important!
• SI-X: System & Information Integrity
  • General Notes: There's a big section for LEM in here specific to auditing (aside from the normal steps for compliance), but also a couple of other smaller areas of note.
  • Of Interest:
    • SI-2: Flaw Remediation
      • Patching - Patch Manager can help with SI-2(1) central management, SI-2(5) automatic software updates, and SI-2(6) removal of previous versions
  • SI-4: Information System Monitoring
    • This is all about LEM - also especially SI-4(2) automated tools for real-time analysis , SI-4(4) inbound and outbound communications traffic, SI-4(5) system-generated alerts, SI-4(7) automated response to suspicious events, SI-4(11) analyze communications traffic anomalies, SI-4(12) automated alerts, SI-4(13) analyze traffic/event patterns, SI-4(16) correlate monitoring information, SI-4(17) integrated situational awareness, SI-4(19) individuals posing greater risk, SI-4(20) privileged users, SI-4(22) unauthorized network services, SI-4(23) host-based devices, and SI-4(24) indicators of compromise.
    • You could also use NPM/NTA where traffic comes into play to potentially detect unexpected traffic patterns or performance issues that indicate security issues
  • SI-7: Software, firmware, and information integrity
    • Can use LEM to detect some unexpected changes, e.g. windows does a system file check initially which can create events, and can also use LEM's FIM to detect critical system changes (files, registry keys).
      • LEM would also support SI-7(5) automated response, SI-7(7) integration of detection and response, and SI-7(8) auditing capability for significant events
  • SI-15: Information Output Filtering
    • You would want to integrate these into LEM, and consider something like LEM's SQL Auditor to detect failures when it comes to databases.

Double whew! I bet your hot beverage cup is empty at this point, perhaps I should have warned you to use the large one.

Got FISMA?

Hopefully at this point we've given you a lot more info on how we can help you get moving with FISMA compliance. If you've got questions, feel free to post them and we'll update the post as things change or more details are necessary.