FISMA Compliance Controls: XQ’s Contribution

Introduction

The Federal Information Security Management Act (FISMA) requires federal agencies and their contractors to protect information systems' confidentiality, integrity, and availability. Compliance with FISMA is achieved through adherence to the National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST 800-53) controls. This document outlines how XQ’s solutions help meet specific NIST 800-53 controls related to FISMA compliance.

Discovery, Security, Role enforcement

FISMA and NIST 800-53 Overview

FISMA mandates that federal agencies:

1. Develop, document, and implement an information security program.

2. Conduct periodic assessments of information security controls.

3. Develop and maintain a security plan for each information system.

4. Ensure continuous monitoring of information systems.

XQ's Role in Meeting FISMA Controls

1. Access Control (AC)

• AC-1: Access Control Policy and Procedures

• Description: Establishes policies and procedures for managing access controls.

• XQ’s Role: XQ helps enforce access control policies established by the organization. While the creation of policy documents falls outside XQ’s scope, including XQ adds another layer of security availability to the organizational policies, enabling more robust, more sophisticated access control policies.

• AC-2: Account Management

• Description: Manages user accounts and permissions.

• XQ’s Role: XQ integrates with identity providers such as Microsoft AD and Okta and supports multi-factor authentication (MFA) to manage user accounts and integrate more advanced permissions, ensuring that only authorized users can access sensitive data. XQ Active directory integrations automate role-based access control at the data level.

• AC-3: Access Enforcement

• Description: Enforces access controls to ensure authorized access.

• XQ’s Role: XQ enforces access controls by encrypting data and only allowing authorized users to decrypt and access the data, ensuring robust access enforcement.

• AC-4: Information Flow Enforcement

• Description: Controls the flow of information within and between systems.

• XQ’s Role: XQ can enforce information flow restrictions by encrypting data at the source and only allowing decryption by authorized parties, ensuring controlled data flow.

• AC-5: Separation of Duties

• Description: Ensures that responsibilities and tasks are divided to prevent conflicts of interest.

• XQ’s Role: XQ adds an additional security layer enabling more advanced segregation of responsibilities, limiting data access based on job functions.

• AC-6: Least Privilege

• Description: Grants users only the permissions necessary for their roles.

• XQ’s Role: XQ enables the implementation of least privilege by providing granular access control through encryption. Only those with access rights can decrypt and interact with the data.

• AC-7: Unsuccessful Logon Attempts

• Description: Manages and limits the number of unsuccessful login attempts.

• Not Applicable: XQ does not manage login attempts, as it relies on third-party identity providers for authentication.

• AC-8: System Use Notification

• Description: Provides notifications to users about the system’s use and access policies.

• XQ’s Role: XQ controls data access policies for encrypted data and notifies administrators about unauthorized access. XQ does provide a comprehensive set of logs for data access that can be fed into other tools (SIEMs) for notification.

• AC-10: Concurrent Session Control

• Description: Manages and controls the number of concurrent user sessions.

• XQ’s Role: will not let the same account access a file concurrently. It also limits concurrent access from separate accounts.

• AC-12: Session Termination

• Description: Manages the termination of user sessions.

• XQ’s Role: XQ terminates application sessions at a timed interval set by the XQ team administration.

• AC-16: Security Attributes

• Description: Enforces security attributes and policies on information.

• XQ’s Role: XQ provides a mechanism to enforce security attributes through metadata tagging and policy-based encryption. Data is tagged with security policies that define who can access or decrypt it.

• AC-17: Remote Access

• Description: Secures data and access during remote access.

• XQ’s Role: XQ secures data during remote access by encrypting data at the edge. Only authorized users can decrypt and access the data, even in remote or untrusted environments, if permitted by organizational access policies.

• AC-19: Access Control for Mobile Devices

• Description: Manages and secures access from mobile devices.

• XQ’s Role: XQ’s data encryption ensures that data accessed on mobile devices remains secure. Policies embedded in the encrypted data enforce access controls regardless of the device.

• AC-20: Use of External Information Systems

• Description: Controls the use and integration of external systems.

• XQ’s Role: XQ ensures secure data transmission to external information systems through encryption, ensuring compliance when integrating third-party systems.

• AC-21: Information Sharing

• Description: Manages and controls the sharing of sensitive information.

• XQ’s Role: XQ enables secure information sharing by encrypting data at rest and in transit, allowing organizations to safely share sensitive information while maintaining control over access.

• AC-22: Data Mining Protection

• Description: Protects data from unauthorized mining and analysis.

• XQ’s Role: XQ protects data from unauthorized mining and analysis by encrypting each data object with unique keys and controlling access to those keys accordingly. This ensures that sensitive information remains secure.

• AC-23: Access Control Decisions

• Description: Supports and manages decisions related to access control.

• XQ’s Role: XQ supports access control decisions through policy enforcement and real-time access checks, ensuring that data access aligns with predefined policies.

• AC-24: Reference Monitor

• Description: Enforces access control policies and decisions.

• XQ’s Role: XQ’s access control mechanisms act as a reference monitor to enforce security policies and ensure compliance.

2. Audit and Accountability (AU)

• AU-1: Audit and Accountability Policy and Procedures

• Description: Establishes policies and procedures for auditing and accountability.

• XQ’s Role: XQ can generate detailed audit logs of encryption, decryption, and data transmission events. While policy creation is external, XQ contributes to maintaining comprehensive audit trails.

• AU-2: Audit Events

• Description: Defines which events are audited.

• XQ’s Role: XQ logs key data activities, such as encryption/decryption and access attempts, supporting identifying relevant audit events.

• AU-3: Content of Audit Records

• Description: Specifies the content required in audit records.

• XQ’s Role: XQ audit records capture essential details, including user identity, data accessed, and event timing, supporting accountability.

• AU-6: Audit Review, Analysis, and Reporting

• Description: Manages the review, analysis, and reporting of audit records.

• XQ’s Role: XQ supports review and analysis by offering tamper-proof audit logs that can be integrated into broader monitoring and reporting systems for review.

• AU-8: Time Stamps

• Description: Ensures that audit records are time-stamped.

• XQ’s Role: XQ logs encryption/decryption events with precise timestamps, ensuring that audit records are time-stamped for traceability.

• AU-9: Protection of Audit Information

• Description: Protects audit information from unauthorized access and alteration.

• XQ’s Role: XQ secures audit logs with encryption, ensuring that audit records cannot be altered or tampered with.

• AU-10: Non-repudiation

• Description: Ensures that actions and access cannot be denied by users.

• XQ’s Role: XQ’s encryption technology ensures that data access is auditable and traceable, providing non-repudiation by proving the identity of users who accessed or decrypted data.

3. Security Assessment and Authorization (CA)

XQ undergoes regular penetration testing and certification processes to validate compliance with security standards and best practices.

4. Configuration Management (CM)

• CM-1: Configuration Management Policy and Procedures

• Description: Establishes policies and procedures for configuration management.

• XQ’s Role:  XQ does not handle system configuration management policies but does handle management of data policies and procedures.

• CM-2: Baseline Configuration

• Description: Establishes and maintains baseline configurations for systems.

• XQ’s Role: XQ maintains secure baseline encryption and access control configurations to ensure consistent security practices.

• CM-3: Configuration Change Control

• Description: Manages and controls changes to system configurations.

• XQ’s Role: XQ logs changes to XQ application and system configurations. 

• CM-4: Security Impact Analysis

• Description: Analyze the security impact of changes to systems.

• XQ’s Role: XQ logs can be used to track any changes made to XQ built applications. This will support IT teams in conducting security impact analysis on changes to systems.

• CM-5: Access Restrictions for Change

• Description: Controls access to system configurations and changes. 

• XQ’s Role: XQ controls and logs changes to access and configuration changes of XQ-built applications.

5. Identification and Authentication (IA)

• IA-1: Identification and Authentication Policy and Procedures

• Description: Establishes policies and procedures for identification and authentication.

• XQ’s Role: XQ enforces access controls; the creation of identification and authentication policies is outside its scope.

• IA-2: Identification and Authentication (Organizational Users)

• Description: Manages identification and authentication of organizational users.

• XQ’s Role: XQ integrates with identity management systems to ensure that only authenticated users can decrypt and access data, supporting strong identification and authentication practices.

• IA-5: Authenticator Management

• Description: Manages and controls the use of authenticators.

• XQ’s Role: XQ integrates with MFA systems, ensuring that strong authenticators (e.g., biometrics or tokens) are enforced for data access.

• IA-7: Cryptographic Module Authentication

• Description: Ensures that cryptographic modules are authenticated.

• XQ’s Role: XQ relies on cryptographic modules for encryption and authentication, ensuring that only approved cryptographic keys can be used to access data.

• IA-8: Cryptographic Key Management

• Description: Manages the lifecycle of cryptographic keys.

• XQ’s Role: XQ manages the lifecycle of cryptographic keys by setting an expiration time on all keys generated using its products. Key rotation occurs only when a file is re-encrypted, such as when changes are made to the file. This approach ensures that cryptographic keys are securely managed throughout their lifecycle.

   

6. System and Communications Protection (SC)

• SC-8: Transmission Confidentiality and Integrity

• Description: Protects the confidentiality and integrity of information during transmission.

• XQ’s Role: XQ ensures that data transmitted across networks is encrypted, protecting both the confidentiality and integrity of the information during transmission.

• SC-12: Cryptographic Key Establishment and Management

• Description: Manages the establishment and lifecycle of cryptographic keys.

• XQ’s Role: XQ ensures all data is encrypted using FIPS 140-2 compliant encryption algorithms. Keys generated by XQ products have a defined lifecycle, with key rotation occurring whenever a file is re-encrypted, such as when modifications are made. This approach ensures that cryptographic keys are securely managed throughout their lifecycle, including secure generation, distribution, and adherence to policy-based management practices.

• SC-13: Cryptographic Protection

• Description: Provides cryptographic protection for data.

• XQ’s Role: XQ ensures cryptographic protection of data through advanced encryption techniques, protecting data at rest and in transit.

• SC-28: Protection of Information at Rest

• Description: Protects information stored on systems from unauthorized access.

• XQ’s Role: XQ encrypts data at rest, ensuring that sensitive information stored on systems remains protected from unauthorized access.

• SC-34: Communications Protection

• Description: Ensures the protection of data communications.

• XQ’s Role: XQ employs encryption and other techniques to protect data communications from unauthorized access and tampering.

7. System and Information Integrity (SI)

• SI-7: Software, Firmware, and Information Integrity

• Description: Ensures the integrity of software, firmware, and information.

• XQ’s Role: XQ ensures the integrity of XQ encrypted data, including files and communications, by encrypting data at the edge. This approach makes unauthorized modifications detectable and prevents tampering, thereby maintaining the integrity of the information. 

• SI-10: Information Input Validation

• Description: Validate input to ensure it is accurate and secure.

• Not Applicable: XQ does not handle information input validation directly. Application-level controls typically handle input validation.

• SI-11: Error Handling

• Description: Manages error handling to ensure sensitive data is protected.

• XQ’s Role: XQ’s encryption and access controls include mechanisms to handle errors securely without exposing sensitive data.

• SI-12: Security Alerts

• Description: Manages security alerts and notifications.

• XQ’s Role: XQ supports security alert mechanisms by logging and reporting critical data access and encryption events.

Conclusion

XQ’s solutions are designed to help organizations meet a range of NIST 800-53 controls, facilitating compliance with FISMA requirements. By leveraging XQ’s advanced security features, organizations can effectively manage and protect their information systems, ensuring robust security and compliance.