File(s)

Windows

Download Symantec Enterprise Security Manager™ Policy Manual for FISMA (Windows) (PDF)

Download Windows NT 4.0 Policy Installer (EXE)

Download Windows 2000 Policy Installer (EXE)

Download Windows Server 2003 Policy Installer (EXE)

Download Windows XP Professional Policy Installer (EXE)

UNIX

Download Symantec Enterprise Security Manager™ Policy Manual for FISMA (UNIX) (PDF)

Download AIX Policy Installer (EXE)

Download Solaris Policy Installer (EXE)

Download Red Hat Linux Policy Installer (EXE)

Download HP-UX Policy Installer (EXE)

Download SuSE Linux Policy Installer (EXE)


Note: To use these policies, Symantec ESM SU18 or later is required for Symantec ESM 5.5 or Symantec ESM 6.0 managers and agents.

Description

Symantec's Enterprise Security Manager™ FISMA policies are configured by members of the Symantec Security Response team to assess compliance with the act's minimum requirements. By supporting the security requirements defined by the act, the policies protect specific operating system platforms from vulnerabilities and exposures due to missing or improperly configured security controls that could compromise the confidentiality, integrity, and/or availability of data that is stored and transmitted on your computer network.

FISMA is supported the following operating systems:

• Windows NT 4.0 Server
• Windows NT 4.0 Workstation
• Windows 2000 Server
• Windows 2000 Professional
• Windows XP Professional
• IBM AIX 4.x and 5.x
• Hewlett-Packard HP-UX versions 10.x and 11.x
• Red Hat Linux Enterprise Server versions 2.1 and 3.0 ES
• Red Hat Linux versions 6.x and 7.x
• Sun Solaris 8 and 9
• SUSE Linux Standard Server version 8

About FISMA and NIST

The Federal Information Security Management Act of 2002 (FISMA, P.L. 107-347, Sec. 301-305) requires federal agencies to establish risk-based information security programs that include periodic risk assessments and compliance with information security standards. Agencies and U.S. Federal contractors are required to assess the risks that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information on U.S. Federal government or contract systems.

FISMA Section 3544(a)(1)(B)(i) establishes the requirement for Agency heads to comply with Section 11331 of Title 40 USC. Section 11331 amends section 20 of the National Institute of Standards and Technology Act (NIST) to give the Institute the responsibility for developing standards and guidelines for agencies and contractors to agencies other than national security.

NIST has developed draft Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST has full authority to set standards.

FISMA 3545(f) specifies a requirement for "protection of information". While NIST SP 800-53 mentions many practices that protect information, there is no explicit recognition of the FISMA requirement anywhere in the publication. The NIST publication focuses primarily on activities to protect systems, not data.

Introducing Symantec ESM Policy for FISMA

This Symantec ESM policy for FISMA assesses compliance with the Federal Information Security Management Act (FISMA) for protection of information and systems that store and distribute information.

Running ESM with the FISMA policy also helps you to be compliant with FISMA section 3544(a)(1)(C), which requires an integrated information security program, and with sections 3544(a)(2)(D), 3544(b)(5), 3544(b)(5)(A), which call for periodic testing, evaluation and assessment of your information security posture.

FISMA section 3544(a)(1)(B)(i) requires compliance with USC40 section 11331, which amends the National Institute of Standards and Technology Act to grant the National Institute of Standards and Technology (NIST) authority to establish information security standards for federal agencies and contractors not involved with national security matters. In turn, NIST has published draft Special Publication 800-53, which establishes specific requirements and guidelines for information security.