Mapping of FISMA Audit to Fluency
While NIST 800-53 combines almost all Federal requirements for security, it does not have responsibility for how long data is retained, which is the national archive’s role. In general, access to a system is kept six (6) years.
NIST 800-53 is the referred to standard by a number of regulations and laws. These include:
- The Federal Information Security Management Act (FISMA) of 2002
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996
- ISA 62443-3-3-2013 [Used by Oil & Gas], Cybersecurity Framework
- SEC Information Security Program and Program Plan (ISSP), per US SEC Statement Sp 20 2017
While there are sixteen (16) base categories, not all are active and only apply based on the security level determined by FIPS-199 (NIST SP 800-60). This categorization creates low, medium and high security needs based on the information and operations being protected.
While aiming for high requirements seems prudent, staying in the proper requirement response is preferred, as requirements cost money and so choosing the right level means efficiency of budget.
This table addresses a Low categorized system:
| No | Control | High-Level Description |
|---|---|---|
| AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | Develops, documents, and disseminates to defined roles and groups (org chart). The organization has standard operational procedures to address implementation. |
| AU-2 | AUDIT EVENTS | Determination of what events are to be audited. |
| AU-3 | CONTENT OF AUDIT RECORDS | Ensure that the content of the audit record is complete. This means the type of the alert, where it came from, when it happened, result of the event, and individual and/or process that performed the action. |
| AU-4 | AUDIT STORAGE CAPACITY | Ensure the system has the capacity to keep audit logs for the required data retention of the data type. |
| AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | The ability to determine when an audit event failed, trigger a response either automated and/or human notification. |
| AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | Review the data. If there is an issue, report on the findings. |
| AU-8 | TIME STAMPS | Events are mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| AU-9 | PROTECTION OF AUDIT INFORMATION | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| AU-11 | AUDIT RECORD RETENTION | Logs are retained for the period of time based on their data type. |
| AU-12 | AUDIT GENERATION | Ensure that all source that produce audit that needs to be record are doing so. |
In a low defined system there are no sub-controls, such as AU-2(3), just major controls. Also, note that AU-7, AU10, and AU-13 to AU-16 do not apply.
NIST take a different approach to security then does PCI DSS. The NIST approach may seem redundant as a requirement may appear in all three level of implementation:
- Policy/Organization
- Procedures
- Technical Controls
This means that no product (or service) can address all the NIST requirements, as they must derive and associate responsibility from the organization and its policy.
Fluency’s Technical Controls
The following table is built to provide a roadmap on what Fluency does and how an organization can leverage Fluency to meet NIST 800-53 v4.
| No | Control | Fluency Techical Controls |
|---|---|---|
| AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | Leverage Fluency’s Architectural Overview and Use Case Documentation to append to Organization’s Documentation. |
| AU-2 | AUDIT EVENTS | Fluency has a record all approach, justifying that in order to determine causal and recreation capabilities more data is better than not enough. This means Fluency will collect all host, network and cloud audit. |
| AU-3 | CONTENT OF AUDIT RECORDS | Fluency does a data parse review. 1) All record data is parsed into a JSON format. 2) Events are timestamped 3) The completeness is reviewed to determine if there is a gap (missing fields). 4) Data Sensitivity is reviewed to determine if information needs special handling and access. |
| AU-4 | AUDIT STORAGE CAPACITY | Fluency will absorb increases in audit, and will notify customer when the amount requires a new level of data retention. |
| AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | Failures in audit appear in the notification’s system health. They create a message to operations and initiate an automated response. |
| AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | Fluency notification aids in providing review notification without logging in to determine if there is an issue. Fluency can work with MSSPs to provide daily or constant review. |
| AU-8 | TIME STAMPS | All incoming events receive a timestamp in Greenwich Mean Time (GMT). The timestamp server is protected from outside tampering and not accessible to the user. |
| AU-9 | PROTECTION OF AUDIT INFORMATION | Two types of datastore are used for audit. The event and flow data reside on LavaDB, which is immutable and has no delete capability. Fluency cloud resides on AWS, with thirteen nines of durability. |
| AU-11 | AUDIT RECORD RETENTION | Logs are kept 90-days hot and one year cold by default. Optional contracts can extend to multiyear. |
| AU-12 | AUDIT GENERATION | Fluency system measures the incoming flow of data and can alert when a source has not reported recently. |