Mapping of FISMA Audit to Fluency

While NIST 800-53 combines almost all Federal requirements for security, it does not have responsibility for how long data is retained, which is the national archive's role. In general, access to a system is kept six (6) years.

NIST 800-53 is the referred to standard by a number of regulations and laws. These include:

  • The Federal Information Security Management Act (FISMA) of 2002

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996

  • ISA 62443-3-3-2013 [Used by Oil & Gas], Cybersecurity Framework

  • SEC Information Security Program and Program Plan (ISSP), per US SEC Statement Sp 20 2017

While there are sixteen (16) base categories, not all are active and only apply based on the security level determined by FIPS-199 (NIST SP 800-60). This categorization creates low, medium and high security needs based on the information and operations being protected.

While aiming for high requirements seems prudent, staying in the proper requirement response is preferred, as requirements cost money and so choosing the right level means efficiency of budget.

This table addresses a Low categorized system:

No

Control

High-Level Description

AU-1

AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

Develops, documents, and disseminates to defined roles and groups (org chart). The organization has standard operational procedures to address implementation.

AU-2

AUDIT EVENTS

Determination of what events are to be audited.

AU-3

CONTENT OF AUDIT RECORDS

Ensure that the content of the audit record is complete. This means the type of the alert, where it came from, when it happened, result of the event, and individual and/or process that performed the action.

AU-4

AUDIT STORAGE CAPACITY

Ensure the system has the capacity to keep audit logs for the required data retention of the data type.

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES

The ability to determine when an audit event failed, trigger a response either automated and/or human notification.

AU-6

AUDIT REVIEW, ANALYSIS, AND REPORTING

Review the data. If there is an issue, report on the findings.

AU-8

TIME STAMPS

Events are mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-9

PROTECTION OF AUDIT INFORMATION

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

AU-11

AUDIT RECORD RETENTION

Logs are retained for the period of time based on their data type.

AU-12

AUDIT GENERATION

Ensure that all source that produce audit that needs to be record are doing so.

In a low defined system there are no sub-controls, such as AU-2(3), just major controls. Also, note that AU-7, AU10, and AU-13 to AU-16 do not apply.

NIST take a different approach to security then does PCI DSS. The NIST approach may seem redundant as a requirement may appear in all three level of implementation:

  • Policy/Organization

  • Procedures

  • Technical Controls

This means that no product (or service) can address all the NIST requirements, as they must derive and associate responsibility from the organization and its policy.

Fluency's Technical Controls

The following table is built to provide a roadmap on what Fluency does and how an organization can leverage Fluency to meet NIST 800-53 v4.

No

Control

Fluency Techical Controls

AU-1

AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

Leverage Fluency's Architectural Overview and Use Case Documentation to append to Organization's Documentation.

AU-2

AUDIT EVENTS

Fluency has a record all approach, justifying that in order to determine causal and recreation capabilities more data is better than not enough. This means Fluency will collect all host, network and cloud audit.

AU-3

CONTENT OF AUDIT RECORDS

Fluency does a data parse review. 1) All record data is parsed into a JSON format. 2) Events are timestamped 3) The completeness is reviewed to determine if there is a gap (missing fields). 4) Data Sensitivity is reviewed to determine if information needs special handling and access.

AU-4

AUDIT STORAGE CAPACITY

Fluency will absorb increases in audit, and will notify customer when the amount requires a new level of data retention.

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES

Failures in audit appear in the notification's system health. They create a message to operations and initiate an automated response.

AU-6

AUDIT REVIEW, ANALYSIS, AND REPORTING

Fluency notification aids in providing review notification without logging in to determine if there is an issue. Fluency can work with MSSPs to provide daily or constant review.

AU-8

TIME STAMPS

All incoming events receive a timestamp in Greenwich Mean Time (GMT). The timestamp server is protected from outside tampering and not accessible to the user.

AU-9

PROTECTION OF AUDIT INFORMATION

Two types of datastore are used for audit. The event and flow data reside on LavaDB, which is immutable and has no delete capability. Fluency cloud resides on AWS, with thirteen nines of durability.

AU-11

AUDIT RECORD RETENTION

Logs are kept 90-days hot and one year cold by default. Optional contracts can extend to multiyear.

AU-12

AUDIT GENERATION

Fluency system measures the incoming flow of data and can alert when a source has not reported recently.