FISMA Compliance

Thales eSecurity assists with data security compliance and encryption for FISMA, the Federal Information Security Management Act

Americas Map

Regulation

Active now

FISMA

FISMA assigns responsibility to various agencies to ensure the security of data in the federal government, it requires annual reviews of information security programs to keep risks below specified levels.

Thales eSecurity can help prepare federal agencies and their suppliers to meet these FISMA compliance regulations through:

  • Encryption and key management;
  • Access policies and privileged user controls;
  • Security intelligence.
FISMA Compliance
FISMA Requirements

According to TechTarget’s SearchSecurity website:

FISMA compliance requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA compliance:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.
Facets of FISMA Thales eSecurity Can Help With

Core Thales eSecurity capabilities that help meet FISMA compliance standards include:

  • Encryption and Key Management: Strong, centrally managed, file, volume and application encryption combined with simple, centralized key management that is transparent to processes, applications and users.
  • Access Policies and Privileged User Controls: Restrict access to encrypted data – permitting data to be decrypted only for authorized users and applications, while allowing privileged users to perform IT operations without the ability to see protected information.
  • Security Intelligence: Logs that capture access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution and for compliance reporting.

In addition to helping you comply with FISMA; NIST 800-53, Revision 4; FIPS 140-2; FIPS 199; FIPS 200 and FedRAMP, Thales eSecurity solutions are designed to help you comply with:

The Vormetric Data Security Platform

The Vormetric Data Security Platform from Thales eSecurity is the only solution with a single extensible framework for protecting data-at-rest under the diverse requirements of Federal Agencies across the broadest range of OS platforms, databases, cloud environments and big data implementations. The result is low total cost of ownership, as well as simple, efficient deployment and operation.

Vormetric Transparent Encryption

Vormetric Transparent Encryption from Thales eSecurity provides file and volume level data-at-rest encryption, secure key management and access controls required by regulation and compliance regimes.

Vormetric Key Management

Vormetric Key Management from Thales eSecurity enables centralized management of encryption keys for other environments and devices including KMIP compatible hardware, Oracle and SQL Server TDE master keys and digital certificates.

Vormetric Data Security Intelligence

Vormetric Data Security Intelligence from Thales eSecurity provides another level of protection from malicious insiders, privileged users, APTs and other attacks that compromise data by delivering the access pattern information that can identify an incident in progress.

Vormetric Application Encryption

Vormetric Application Encryption enables agencies to easily build encryption capabilities into internal applications at the field and column level.

Vormetric Tokenization with Dynamic Masking

Vormetric Tokenization with Dynamic Masking from Thales eSecurity lets administrators establish policies to return an entire field tokenized or dynamically mask parts of a field. With the solution’s format-preserving tokenization capabilities, you can restrict access to sensitive assets, yet at the same time, format the protected data in a way that enables many users to do their jobs.

Vormetric Cloud Encryption Gateway

The Vormetric Cloud Encryption Gateway from Thales eSecurity safeguards files in cloud storage environments. It encrypts sensitive data before it is saved to the cloud enabling security teams to establish the visibility and control they need around sensitive assets. Because Vormetric’s Cloud Encryption Gateway relies on Thales eSecurity's Vormetric Data Security Manager for encryption key and policy management, customers never relinquish control of cryptographic keys to the provider and data never leaves the enterprise premises unencrypted or unaccounted for.

Research and Whitepapers : Vormetric FedRAMP / NIST 800-53 Requirements Mapping

Critical to certification for meeting FIPS, is the implementation of security controls from NIST 800-53, Appendix F. Focusing on the capabilities needed to meet these requirements, this paper provides background about the Thales Data Security Platform and the Thales Transparent Encryption product that is delivered through that platform....

Download

Research and Whitepapers : Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications

By Securosis analysts and industry experts, Rich Mogull, CEO and Adrian Lane, CTO.

This paper cuts through the confusion to help you pick the best encryption and tokenization options for your projects. The focus is on encrypting in the data center: applications, servers, databases, and storage. It also covers cloud computing (IaaS: Infrastructure as a Service)....

Download

Other key data protection and security regulations

NIST 800-53 / FedRAMP

Americas Map Thumbnail

Mandate

Active now

Since June 5, 2014 federal agencies have been required to meet FedRAMP standards, ensuring they meet internal data security standards and extended security controls for cloud-computing.

Learn More

HIPAA

Americas Map Thumbnail

Regulation

Active now

These regulations cover healthcare information in the US, HIPAA relates to protection; encryption, key management. etc and HITECH relates to disclosure of data breaches.

Learn More

SOX

Americas Map Thumbnail

Regulation

Active now

United States Federal Law setting standards for a range of US companies, SOX Act sections 302 and 404 relate directly to data protection.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook

Related Solutions

NIST 800-53/ FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

Learn More

Data Breach notification laws

Data breach notification requirements following loss of personal information have been enacted by governments around the globe. They vary by jurisdiction, but almost universally include a “safe harbour” clause.

Learn More

Data Residency

There are more than 100 national data privacy laws on the books. Global enterprise, SaaS vendors and cloud-solution providers need to be aware how to meet data residency requirements in their environment.

Learn More
As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Thales HSMs to provide robust security, unmatched performance and superior scalability across our payment security platforms, protecting encryption keys from virtually any attack. This helps Verifone to continue reducing merchants’ growing exposure to data breaches and cyber criminals and more aggressively safeguard consumer information… Joe Majka,Chief Security Officer
The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place. Joseph Johnson,chief information security officer CHS
My concern with encryption was the overhead on user and application performance. With Thales eSecurity, people have no idea it’s even running. Karl MudraCIO
Delta Dental of Missouri
Vormetric’s approach of coupling access control with encryption is a very powerful combination. We use it to demonstrate to clients our commitment to preserving the security and integrity of their test cases, data and designs. David VargasInformation Security Architect
Cadence Design Systems
Implementing Vormetric has given our own clients an added level of confidence in the relationship they have with us; they know we’re serious about taking care of their data. Audley Deansenior director of Information Security,
BMC Software
There is absolutely no noticeable impact on the performance or usability of applications. I am very excited at how easy the solution is to deploy and it has always performed flawlessly. Christian MuusDirector of Security for Teleperformance EMEA
Thales eSecurity is our standard. Whenever an encryption solution is needed, the answer is always, ‘let’s start with Thales eSecurity. Damian McDonaldVice President of Global Information Security, Becton, Dickinson and Company
Vormetric Encryption delivers what we need it to do – without any fuss or drama – knowing it’s in place is one less thing to worry about. Albert AvilaBusiness Solutions Specialist, Fujitsu America, Inc.
Watch our interactive demo Explore
Schedule a live demo Schedule
Get in contact with a specialist Contact us