NIST 800-53 Compliance for FedRAMP

NIST 800-53 and FedRAMP

The NIST 800-53 publication details security controls for Federal information systems as required by the FIPS 200 publication, and was recently updated to revision 4 to detail the extended security controls required for agency use of cloud computing under FedRAMP.

FIPS 200 and FISMA

FIPS 200 supports the FISMA Act of 2002 requiring Federal agencies to implement and document information security programs.

Regulation Detail

For more details on the specific regulations, see the links below.

FIPS 140-2 Levels 2 and 3 Validated

Vormetric’s Data Security Management is available as a FIPS 140-2 Level 2 or Level 3 validated appliance. The Data Security Manager appliance is also in Common Criteria evaluation.

NIST 800-53 Revision 4 Compliance Solutions

Core Thales product capabilities that support the NIST 800-53 Revision 4 include:

• Encryption and Key Management: Strong, centrally managed, file, volume and application encryption combined with simple, centralized key management that is transparent to processes, applications and users.
• Access Policies and Privileged User Controls: Restrict access to encrypted data – permitting data to be decrypted only for authorized users and applications, while allowing privileged users to perform IT operations without ability to see protected information.
• Security Intelligence: Logs that capture access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution and for compliance reporting.

Mapping NIST 800-53 to Vormetric solutions from Thales

For a full look at how Vormetric solutions map to NIST 800-53 requirements, see our Thales NIST 800-53 Mapping white paper with detailed mapping of security controls to Thales features here, and listed below is an overview of security control family requirements for Thales solutions.

Overview - Vormetric Transparent Encryption & NIST 800-53 revision 4

Security Control FamilyCompliance BaselineThales

Access Controls(AC)• Access Controls(AC)
• Account Management
• Separation of Duties
• Least PrivilegeThrough the use of kernel level agents providing AES 256 encryption, Vormetric Transparent Encryption exceeds and augments current access control solutions at the file, directory, drive, or target level at the Operating System and provides Least Privilege.

Awareness and Training(AT)• Training Policies
• Security Awareness Training
• Role Based Security TrainingVormetric Professional Services makes available both, personal and online, training options to educated staff on use of the solution. Thales solutions have few administrative requirements, and the available training covers tasks and responsibilities for each desired/deployed role, with appropriate documentation.

Audit and Accountability(AU)• Audit Events
• Content
• Response
• Capacity
• Non-Repudiation
• Report GenerationVormetric Transparent Encryption provides full audit data at the Vormetric Data Security Manager appliance and at host agents in an open format and can integrate with a program or agency’s audit reduction tool or SIEM solution.

Security Assessment and Authorization(CA)• System Interconnects
• Plan of Action and Milestones
• Continuous MonitoringVormetric Transparent Encryption can be tested as a part of an Information System. The agents are installed on operating systems that undergo security hardening and STIG configurations. The Data Security Manager is FIPS 140-2 Level 2 or Level 3 Compliant depending upon configuration.

Configuration Management(CM)• Baseline Configuration
• Change Control
• Security Impact Analysis
• Least FunctionalityThe configuration of the Vormetric DSM can be changed to match operational requirements for access control and encryption at rest, and can be saved, backed up, and added to a CMDB in order to track changes over time.

Contingency Planning(CP)• Contingency Plan
• Contingency TestingThe Vormetric DSM component can operate in a clustered environment in active or standby mode, and can be added to a program’s COOP/DR strategy.

Identification and Authentication(IA)• Organizational Users
• Device Login
• Authentication Management
• Crytpographic Module
• Incident HandlingIdentification is provided through local web GUI login or Active Directory/LDAP Integration at the Data Security Manager appliance. Authentication is provided through the use of kernel level system access to files, folders, and applications.

Incident Response(IR)• Incident Response Testing
• Training
• Handling
• MonitoringThe Vormetric Data Security Platform processes incidents at the individual component level (host system, web GUI, DSM). These incidents and audit events are in an open syslog format that can be sent to an information system’s monitoring/reporting tool, including 3rd party SIEM solutions. Log file formats can be tailored to match a program’s security policy for user and application behavior.

Maintenance(MA)• Controlled Maintenance
• ToolsAs a part of the FIPS 140-2 certification, the Vormetric Data Security Manager is tamper resistant. Additionally, maintenance and audit sessions can be separated by domain and by administrator login.

Media Protection(MP)• Media Access
• Media Marking
• Storage TransportAs a part of the FIPS 140-2 level 3 compliance evaluation the Vormetric Data Security Manager has the ability to be zeroized at the appliance console.

Physical and Environmental Protection(PE)• Access Authorizations
• Control
• TransmissionThe Vormetric Data Security Management appliance used as a component of the solution is available as 17”x17”x3” hardware device and can be secured in a lockable data center rack enclosure.

Planning(PL)• Security Architecture
• Concept of OperationsVormetric Transparent Encryption provides fine-grained access policies and AES-256 encryption that can be used to limit privileged user access and implement least-privilege principles for users authorized for access to sensitive data.

Personnel Security(PS)• Personnel Termination and TransferThe Vormetric Transparent Encryption Solution should be operated by personnel at the appropriate level of clearance and information system access. Administrative group links to LDAP compatible Directory Services solutions.

System and Services Acquisition(SA)• Allocation of Resources
• System Development Life CycleSystem Components of the Vormetric Data Security Manager are assembled in the US at the corporate headquarters in San Jose, CA. The DSM is FIPS 140-2 Level 3 certified when the optional Hardware Security Module (HSM) is installed, and FIPS 140-2 Level 2 certified without the HSM.

Systems and Communications Protection(SC)• Application Partitioning
• Security Function Isolation
• Confidentiality and Integrity
• Cryptographic Key Management
• Platform AgnosticismAs a part of the Vormetric Transparent Encryption solution, AES-256 encryption keys are passed through an encrypted wrapper. The Administrator Web Interface is accessed through HTTPS. Agent to DSM communication is accomplished through the use of ephemeral ports and is encrypted using Suite B algorithms.

Systems and Information Integrity(SI)• Security Alerts and Advisories
• Software and Information IntegritySystem Integrity on the Data Security Manager Appliance is satisfied through the DSM’s FIPS 140-2 validation. Host agents installed on an Information System’s server provide encryption at rest capabilities to enhance system integrity.