Solutions – FISMA Security/Compliance

Not If – But When…The Escalating War on Federal Networks!

In 2010, over 41,000 cyber incidents of malicious intent in the federal network were reported (out of a total of over 107,000 incidents) to the United States Computer Emergency Readiness Team (US-CERT), according to the OMB’s fiscal year 2010 report on federal implementation of the Federal Information Security Management Act (FISMA). These findings represented a 39% increase over 2009, when 30,000 incidents were reported by the feds, of 108,710 attacks overall, according to the report. The fiscal year 2010 FISMA report is the most comprehensive to date about the state of cyber security among federal agencies and the progress being made in this area.

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional passing of the FISMA legislation of December 2002. These standards and guidelines included specific access, audit, accountability, protection, incident reporting, and system controls related to network and data security. In particular, the Federal Information Protection Standard (FIPS 140-2) requires every Federal Organization to ensure, via routine cyber security vulnerability assessments, that technological and related procedure safeguards for all components of the technology stack meet the requirements to maintain confidentiality and integrity of the cryptographic modules. Unauthorized access to the cryptographic modules can result in a breach to the system and a threat to national security.

However, FISMA-related security assessments to identify flaws or weaknesses in current protective measures must avoid the introduction of additional risk to essential systems. This is especially critical when it comes to the BPIC stack. Today, most government agencies and federal/military contractors are deploying WebSphere as their BPIC layer. However, traditional penetration testing tools can impair the networks and computers that make up the BPIC system.

At Evans Resource Group, our WebSphere vulnerability assessment methodology satisfies FIPS 140-2 while safeguarding reliability of operations. Based on years of helping BPIC customers achieve secure network compliance, our methodology does not require risky connection of test equipment to sensitive networks or the deployment of unsupported software. Our comprehensive, non-invasive approach includes:

  • Discovery and identification of all access points to the BPIC security perimeter
  • Verification of security and services at each access point
  • Review of controls for default accounts, passwords, and BPIC management community strings for each access point
  • Verification that only ports and services required for normal or emergency operations are enabled on each system
  • Review of controls for default accounts of each system
  • Ensuring FIPS is enabled on the queue managers
  • Ensuring FIPS cipher specs are enabled on the queue manager