FISMA Compliance

Veracode FISMA Compliance Solution

The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The Act was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits.

The National Institute of Standards and Technology (NIST) is chartered with developing and issuing standards, guidelines, and other publications which federal agencies must follow to implement FISMA and manage cost-effective programs to protect their information and information systems. NIST Special Publications (SP) 800-series combined with NIST’s FIPS 199 and FIPS 200 create the risk-based framework which federal agencies use to assess, select, monitor and document security controls for their information systems as shown in the figure below:


Software Security and FISMA

Federal agencies have aggressively moved towards an eGovernment model, adapting and migrating paper-based processes to an internet-based service model. As a result, virtually all federal information activity is controlled by software and universally accessible via web applications. Not surprisingly, attacks are now focused at the application layer, with the National Vulnerability Database reporting over 5,000 new software vulnerabilities disclosed in 2013 alone. Federal agencies must ensure that software applications have been tested for vulnerabilities that may compromise their systems in order to achieve FISMA compliance.

Veracode Helps Federal Agencies Achieve FISMA Compliance

Veracode’s on-demand application security testing solution ensures that software being used in federal agencies has been scanned for vulnerabilities, malicious code and backdoors. This enables federal agencies to provide evidence that their security policies and controls are working properly in accordance with relevant sections of NIST SP 800-53 rev 1 for FISMA compliance as follows:

  • Audit and Accountability – Veracode’s security-as-a-service (SaaS) model allows agencies to easily setup periodic security audits of their applications.Learn More…
  • Certification, Accreditation, and Security Assessments – Veracode’s standards-based rating provides “visible proof” to auditors that systems have had independent security assessments conducted against government benchmarks.
  • Risk Assessment – Veracode’s unique ability to scan both custom and commercially developed applications allows agencies to meet FISMA requirements for software vulnerability scanning. Learn More…
  • System and Services Acquisition – Veracode is the only solutions provider which can scan packaged GOTS and COTS applications without requiring access to source code, allowing agencies to embed security into their procurement process in accordance with FISMA requirements. 
  • System and Communications Protection - Veracode tests not only for vulnerabilities, but analyzes applications for the presence or absence of security features as required by FISMA.
  • System and Information Integrity – Veracode is the only solutions provider who can identify the presence of backdoors or malicious code within applications to ensure the integrity of the system and information.