White logo
Contact us
Solutions
Resources
Company

Introduction

The Federal Information Security Modernization Act (FISMA) is a United States federal law enacted in 2002 that requires federal agencies to implement and maintain information security programs to protect their information and information systems. The law defines information security as ''the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.''

FISMA requires federal agencies to comply with minimum security standards set by the National Institute of Standards and Technology (NIST) and to periodically assess the effectiveness of their information security programs. FISMA also requires federal agencies to report annually on their information security posture, including any breaches or incidents of unauthorized access, use, disclosure, disruption, modification, or destruction of information.

The NIST Cybersecurity Framework (CSF) is used by federal agencies to comply with FISMA requirements and to implement and maintain information security programs. The framework provides a structured approach to managing and reducing cybersecurity risk by guiding organizations through a series of activities, outcomes, and references for each of its five functions: Identify, Protect, Detect, Respond, and Recover. By following the NIST CSF, federal agencies can effectively implement and maintain information security programs that comply with FISMA requirements and reduce their risk of a cybersecurity event.

Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization Act (FISMA) is a U.S. federal law enacted in 2002 that mandates that federal agencies implement and maintain information security programs to protect their information and information systems. FISMA establishes a framework for managing and protecting the security of federal information and information systems by requiring agencies to comply with minimum security standards set by the National Institute of Standards and Technology (NIST).

FISMA requires federal agencies to perform periodic risk assessments to determine the potential impact of a security breach on their information and information systems. Based on these assessments, agencies must implement security controls and measures to mitigate identified risks. FISMA also requires agencies to report annually on their information security posture, including any incidents of unauthorized access, use, disclosure, disruption, modification, or destruction of information.

FISMA requires that federal agencies implement a comprehensive security program that includes, but is not limited to, the following elements:

  • Access control: Controlling access to information and information systems by identifying, authenticating, and authorizing users and devices.
  • Maintenance: Regularly updating and patching systems and applications to prevent vulnerabilities from being exploited.
  • Data protection: Protecting sensitive information by encrypting data in transit and at rest, and by implementing data backup and recovery strategies.
  • Awareness and training: Educating and training employees on cybersecurity policies and procedures to help prevent human error from contributing to a cybersecurity event.
  • Protective technology: Implementing technical controls such as firewalls, intrusion detection systems, and security information and event management (SIEM) systems to detect and respond to potential security threats.

In summary, FISMA requires federal agencies to implement and maintain information security programs that protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. FISMA is designed to help ensure the confidentiality, integrity, and availability of federal information and information systems, and to reduce the risk of a cybersecurity event.

How does Airgap Networks’ microsegmentation fit into this framework?

Network microsegmentation can help organizations comply with the Federal Information Security Modernization Act (FISMA) by reducing the risk of a cybersecurity event and limiting the exposure of critical assets and sensitive information. By dividing a network into smaller, separate segments, organizations can reduce the attack surface and limit the spread of a potential security breach, while also enabling the implementation of different security policies for different segments of the network.

By using network microsegmentation, organizations can better protect their sensitive information and information systems, and meet the requirements set by FISMA for access control, data protection, and protective technology. Network micro-segmentation enables organizations to define and enforce granular security policies based on the security posture of individual devices and systems, and to detect and respond to potential security threats more effectively.

Additionally, network microsegmentation can help organizations meet the FISMA requirement for periodic risk assessments by enabling them to continuously monitor and assess the security posture of individual segments of their network. This can help organizations identify potential security risks and vulnerabilities, as well as make informed decisions about the implementation of security controls and measures to mitigate these risks.

In conclusion, network microsegmentation is an important aspect of the information security program required by FISMA, and can help organizations effectively manage and reduce their cybersecurity risk. By implementing network micro-segmentation, organizations can ensure the confidentiality, integrity, and availability of their information and information systems, and meet the requirements set by FISMA for information security.

Airgap Networks’ agentless microsegmentation places each endpoint into its own isolated network segment and allows only authorized communication between them. The default security policy is to disallow any communication between each endpoint/network micro segment unless authorized by the security operator. In this way, servers which are processing sensitive payment card information can be placed in their own isolated network segments and only authorized communication permitted between them.

Summary

Network microsegmentation helps organizations comply with FISMA by reducing the risk of a cybersecurity event and limiting the exposure of critical assets and sensitive information. By dividing a network into smaller, separate segments and enforcing granular security policies, organizations can detect and respond to potential security threats more effectively, and meet the FISMA requirements for access control, data protection, and protective technology. Micro-segmentation enables organizations to continuously monitor and assess their network security posture and make informed decisions about security controls, thereby helping them meet the FISMA requirement for periodic risk assessments.

Microsegmentation is an integral part of Airgap’s Zero Trust Everywhere solution, contributing to our customers' zero trust security initiatives and frameworks.