FISMA Deployment Guide – Meet the Compliance Requirements

The LogRhythm FISMA Compliance Package provides bundled reports, investigations, alarms, and log source lists to help you demonstrate regulation compliance. Your site compliance auditor will check for specific line-item regulations to be met by LogRhythm. This guide demonstrates how and when LogRhythm meets FISMA compliance.

This section describes each of the following for FISMA compliance:

• Compliance Reporting for FISMA Auditors
• Compliant Monitoring
• Alarming
• Audit Deliverables

Compliance Reporting for FISMA Auditors

FISMA responsibilities are detailed in NIST Special Publication 800-53a. Auditors are instructed to review the minimum security requirements outlined in NIST Special Publication 800-53 to determine if compliance is met. This deployment guide references each of the affected regulations in the notation of “Security Requirement Family” “Control Number” “Subsection”. For example, the following regulation highlighted in grey would be AU-01a from Page F-24:

AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

Multiple subsections may be referenced by having additional subsection letters following the regulation, such as AU-02abcd, a regulation located on the same page as the one used in the example.

Because FISMA is solution and vendor-agnostic, FISMA auditors must determine if the control provided by LogRhythm is appropriate for the organization for the specific regulation. In some cases, LogRhythm will provide enhancements to existing controls, such as centralization, investigations, alarming, reporting, auditing, monitoring, and discovery.

Compliant Monitoring

LogRhythm provides automated processes to reduce the amount of manual processes involved with monitoring. In addition, LogRhythm provides the tools necessary to conduct detailed manual monitoring and investigations.

FISMA does not specify a timeframe for monitoring (such as daily, monthly, etc.) but instead allows each organization to determine its own levels of protection necessary for compliance. The best practice would be continuous monitoring with a 15-minute time window for escalation, and the most relaxed practice would be reporting on a monthly basis. LogRhythm can provide a range of responses and monitoring techniques that would meet FISMA’s intent.

LogRhythm has settings for the retention duration of logs available for reporting and investigations. The FISMA auditor should note that the period between reports being generated for auditing should never exceed the retention period. Therefore, if logs are being retained for 14 days, audit reports should be generated in 14-day intervals.

Alarming

Immediate action in the event of a breach or system failure can help limit the damages to the organization. LogRhythm’s alarming capability notifies the appropriate security personnel when a security monitoring device detects activities that could jeopardize the integrity of the organization. The Alarm Rules table shows the thresholds and suppression of alarm rules pertaining to FISMA compliance.

Audit Deliverables

The FISMA Report Package can generate all the reports needed for auditing.

To start the process:

1. From the LogRhythm Console, click Report Center.
2. Select the Report Packages tab.
3. Right-click the FISMA Report Package, and then click Run.

The FISMA report package must be run no less frequently than once per month to ensure all data is available for report generation. The deliverables that demonstrate adherence to FISMA are shown in the FISMA—Requirements table.