FISMA – Requirements
The deliverables that demonstrate adherence to FISMA are described in the following table.
NIST 800-53 Regulation | Deliverable | |
|---|---|---|
AC-02 | Disabled Accounts Account Management Activity New Account Summary | Terminated Account Summary Host Authentication Summary User Authentication Summary |
AC-03 | Account Management Activity New Account Summary | Terminated Account Summary |
AC-05, AC-06, AC-14, AC-22 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked | Object Access Summary Processes By User Usage Auditing Event Detail (by Date) Usage Auditing Event Detail (by User) User Object Access Summary |
AC-07 | Failed Host Access | Account Lockout Summary |
AC-17, AC-18, AC-19 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked Object Access Summary | Processes By User Usage Auditing Event Detail (By Date) Usage Auditing Event Detail (By User) User Object Access Summary Host Authentication Summary User Authentication Summary |
AC-20 | Network Connection Summary | Network Service Summary |
AC-22 | User Auditing Event Details (By User) | User Auditing Event Details (By Date) |
AU-09 | File Integrity Monitor Log Detail File Integrity Monitor Log Detail (with file names and size) | File Integrity Monitor Summary |
AU-13 | Data Loss Defender Log Detail Data Loss Defender Log Detail | Data Loss Defender Log Summary |
CA-02 | Vulnerabilities Detected | |
CA-07 | Attacks Detected Compromised Detected Security Event Summary (By Application) Security Event Summary (By Impacted Host) Security Event Summary (By Origin Host) Security Event Summary (By Entity, Impacted Host) Suspicious Activity By Host Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary Audit Failure By Host Audit Failure By User | Failed Application Access Failed File Access Host Access Granted and Revoked Object Access Summary Processes By User Usage Auditing Event Detail (by Date) Usage Auditing Event Detail (by User) User Object Access Summary Host Authentication Summary User Authentication Summary System Critical And Error Conditions System Startup and Shutdown Account Lockout Summary Failed Host Access |
CM-03, CM-06 | Configuration Change Summary | Policy Activity Summary |
CM-07 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked | Object Access Summary Processes By User Usage Auditing Event Detail (by Date) Usage Auditing Event Detail (by User) User Object Access Summary |
CM-08 | Network Connection Summary | Network Service Summary |
IA-02, IA-03, IA-08 | Default Account Summary User Authentication Summary | Host Authentication Summary |
IR-03, IR-04 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
IR-05 | Alarm and Response Activity | |
MA-02 | System Critical And Error Conditions | System Startup and Shutdown |
PE-06 | Door Access Summary | |
PM-05 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked | Object Access Summary Processes By User Usage Auditing Event Detail (by Date) Usage Auditing Event Detail (by User) User Object Access Summary |
PM-06 | System Critical and Error Conditions System Startup and Shutdown Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked Object Access Summary Processes By User Usage Auditing Event Detail (By Date) Usage Auditing Event Detail (By User) User Object Access Summary Account Lockout Summary Failed Host Access User Authentication Summary | Host Authentication Summary Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
PE-08 | Door Access Summary | |
PM-10 | User Authentication Summary | Host Authentication Summary |
SC-05 | Denial Of Service Detected | |
SC-18 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
SC-28 | File Integrity Monitor Log Detail File Integrity Monitor Log Detail (with file names and size) | File Integrity Monitor Summary |
SI-02 | System Critical And Error Conditions | System Startup and Shutdown |
SI-03 | Anti-Virus Signature Update Report | Malware Detected |
SI-04 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
SI-07 | Configuration Change Summary | Policy Activity Summary |
SI-08 | Spam Summary | |
SI-11 | System Critical and Error Conditions | System Startup and Shutdown |
LogRhythm meets, improves, or adheres to other regulations outlined in NIST Special Publication 800-53. Commentary about regulations other than the ones handled by Reports, Investigations, and Alarms are noted in the following table.
NIST 800-53 | Setting / Commentary |
|---|---|
AU-02ab and AU-12a | LogRhythm enables Audit and Accountability by providing a system that collects and processes Audit data. By having LogRhythm, AU-02’s intent of defining auditable events, monitoring, and being able to communicate outside of the organization is met. |
AU-03 and AU-12b | Logs processed are classified and assigned a specific common event such as Connection Established that meets AU-03. In some cases it allows for proper assignment of log meaning even if the exact details are difficult to understand from reading the log (e.g. translating Event 105 to System Shutdown). |
AU-04 and AU-11 | Management of Log storage is a primary feature of LogRhythm, including retention of raw log data after being sent to the LogRhythm Mediator Service. This has the effect of moving log management off individual systems and onto a central system built for the task which includes log archiving and retention, part of which is, adjustment of retention periods. |
AU-06, AU-07, and AU-12c | LogRhythm provides a wide range of analysis, reporting and alarming tools to meet AU-06. |
AU-08 and AU-10 | Timestamps are recorded both with the time reported by the origin log source and the time the LogRhythm Mediator receives the log. This prevents falsification of time stamps. Rapid collection of logs from systems, including real-time and near-real time, prevent the compromise and reconfigure approach toward altering log data. It creates as accurate a log trail as possible up to the point of compromise, often sending critical information about the event to LogRhythm before the attacker has time to modify the system. |
MA-03 and MA-04 | LogRhythm can provide monitoring support for information system maintenance tools through interpretation of log data. |
PS-04 and PS-07 | LogRhythm can be used to monitor usage compliance for terminated employees and 3rd party users through investigations and security event reporting. |
SI-03 | Malware false positives can be identified rapidly with LogRhythm by reviewing the logs surrounding the event and by using LogRhythm System Monitor Agent tools such as the File Integrity Monitor, Process Monitor, Network Connections Monitor, and Data Loss Defender. Typically this can be a time consuming process. |
SI-04cd | Monitoring devices determined appropriate by the organization can send logs and event data to LogRhythm, allowing this information to be centrally processed and easily compared to other similar devices for robust investigations. |
SI-11bc | LogRhythm provides access controls to limit usage to authorized personnel only. Reports generated by LogRhythm can limit data being seen. This allows the circulation of reports without revealing sensitive information, such as account names, host addresses, or specific file names. |
Monitoring Note | FISMA requirements typically have monitoring or inventory requirements. LogRhythm provides the tools to perform custom investigations that can fulfill or assist in meeting FISMA regulations. For example, it can be used to generate a list of systems seen that can be compared against the organizational inventory. LogRhythm can also show network connections between defined entities, zones, and networks to verify isolation of networks and/or appropriate segmentation. |