NIST 800-53 Compliance for FedRAMP

Vormetric solutions help federal government agencies implement and sustain NIST 800-53 compliance for FedRAMP, FIPS 200 and FISMA for data-at-rest

NIST 800-53 / FedRAMP


The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

Thales support US government agencies in implementing and sustaining compliance through:

  • Encryption of data at rest and data in motion;
  • Strong key management that keeps the data owner in control of the keys;
  • Access policies and privileged user controls;
  • FIPS-certified protection of keys.


  • Regulation
  • Compliance

NIST 800-53 and FedRAMP

The NIST 800-53 publication details security controls for Federal information systems as required by the FIPS 200 publication, and was recently updated to revision 4 to detail the extended security controls required for agency use of cloud computing under FedRAMP.

FIPS 200 and FISMA

FIPS 200 supports the FISMA Act of 2002 requiring Federal agencies to implement and document information security programs.

Regulation Detail

For more details on the specific regulations, see the links below.

FIPS 140-2 Levels 2 and 3 Validated

Vormetric’s Data Security Management is available as a FIPS 140-2 Level 2 or Level 3 validated appliance. The Data Security Manager appliance is also in Common Criteria evaluation.

NIST 800-53 Revision 4 Compliance Solutions

Core Thales product capabilities that support the NIST 800-53 Revision 4 include:

  • Encryption and Key Management: Strong, centrally managed, file, volume and application encryption combined with simple, centralized key management that is transparent to processes, applications and users.
  • Access Policies and Privileged User Controls: Restrict access to encrypted data – permitting data to be decrypted only for authorized users and applications, while allowing privileged users to perform IT operations without ability to see protected information.
  • Security Intelligence: Logs that capture access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution and for compliance reporting.

Mapping NIST 800-53 to Vormetric solutions from Thales

For a full look at how Vormetric solutions map to NIST 800-53 requirements, see our Thales NIST 800-53 Mapping white paper with detailed mapping of security controls to Thales features here, and listed below is an overview of security control family requirements for Thales solutions.


Overview - Vormetric Transparent Encryption & NIST 800-53 revision 4
Security Control Family Compliance Baseline Thales
Access Controls(AC) • Access Controls(AC)
• Account Management
• Separation of Duties
• Least Privilege
Through the use of kernel level agents providing AES 256 encryption, Vormetric Transparent Encryption exceeds and augments current access control solutions at the file, directory, drive, or target level at the Operating System and provides Least Privilege.
Awareness and Training(AT) • Training Policies
• Security Awareness Training
• Role Based Security Training
Vormetric Professional Services makes available both, personal and online, training options to educated staff on use of the solution. Thales eSecurity solutions have few administrative requirements, and the available training covers tasks and responsibilities for each desired/deployed role, with appropriate documentation.
Audit and Accountability(AU) • Audit Events
• Content
• Response
• Capacity
• Non-Repudiation
• Report Generation
Vormetric Transparent Encryption provides full audit data at the Vormetric Data Security Manager appliance and at host agents in an open format and can integrate with a program or agency's audit reduction tool or SIEM solution.
Security Assessment and Authorization(CA) • System Interconnects
• Plan of Action and Milestones
• Continuous Monitoring
Vormetric Transparent Encryption can be tested as a part of an Information System. The agents are installed on operating systems that undergo security hardening and STIG configurations. The Data Security Manager is FIPS 140-2 Level 2 or Level 3 Compliant depending upon configuration.
Configuration Management(CM) • Baseline Configuration
• Change Control
• Security Impact Analysis
• Least Functionality
The configuration of the Vormetric DSM can be changed to match operational requirements for access control and encryption at rest, and can be saved, backed up, and added to a CMDB in order to track changes over time.
Contingency Planning(CP) • Contingency Plan
• Contingency Testing
The Vormetric DSM component can operate in a clustered environment in active or standby mode, and can be added to a program's COOP/DR strategy.
Identification and Authentication(IA) • Organizational Users
• Device Login
• Authentication Management
• Crytpographic Module
• Incident Handling
Identification is provided through local web GUI login or Active Directory/LDAP Integration at the Data Security Manager appliance. Authentication is provided through the use of kernel level system access to files, folders, and applications.
Incident Response(IR) • Incident Response Testing
• Training
• Handling
• Monitoring
The Vormetric Data Security Platform processes incidents at the individual component level (host system, web GUI, DSM). These incidents and audit events are in an open syslog format that can be sent to an information system's monitoring/reporting tool, including 3rd party SIEM solutions. Log file formats can be tailored to match a program's security policy for user and application behavior.
Maintenance(MA) • Controlled Maintenance
• Tools
As a part of the FIPS 140-2 certification, the Vormetric Data Security Manager is tamper resistant. Additionally, maintenance and audit sessions can be separated by domain and by administrator login.
Media Protection(MP) • Media Access
• Media Marking
• Storage Transport
As a part of the FIPS 140-2 level 3 compliance evaluation the Vormetric Data Security Manager has the ability to be zeroized at the appliance console.
Physical and Environmental Protection(PE) • Access Authorizations
• Control
• Transmission
The Vormetric Data Security Management appliance used as a component of the solution is available as 17"x17"x3" hardware device and can be secured in a lockable data center rack enclosure.
Planning(PL) • Security Architecture
• Concept of Operations
Vormetric Transparent Encryption provides fine-grained access policies and AES-256 encryption that can be used to limit privileged user access and implement least-privilege principles for users authorized for access to sensitive data.
Personnel Security(PS) • Personnel Termination and Transfer The Vormetric Transparent Encryption Solution should be operated by personnel at the appropriate level of clearance and information system access. Administrative group links to LDAP compatible Directory Services solutions.
System and Services Acquisition(SA) • Allocation of Resources
• System Development Life Cycle
System Components of the Vormetric Data Security Manager are assembled in the US at the corporate headquarters in San Jose, CA. The DSM is FIPS 140-2 Level 3 certified when the optional Hardware Security Module (HSM) is installed, and FIPS 140-2 Level 2 certified without the HSM.
Systems and Communications Protection(SC) • Application Partitioning
• Security Function Isolation
• Confidentiality and Integrity
• Cryptographic Key Management
• Platform Agnosticism
As a part of the Vormetric Transparent Encryption solution, AES-256 encryption keys are passed through an encrypted wrapper. The Administrator Web Interface is accessed through HTTPS. Agent to DSM communication is accomplished through the use of ephemeral ports and is encrypted using Suite B algorithms.
Systems and Information Integrity(SI) • Security Alerts and Advisories
• Software and Information Integrity
System Integrity on the Data Security Manager Appliance is satisfied through the DSM's FIPS 140-2 validation. Host agents installed on an Information System's server provide encryption at rest capabilities to enhance system integrity.

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.


Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.