FISMA Controls per NIST SP 800-53 Security Controls

Owned by Melanie Davies (Unlicensed)
Last updated: Feb 16, 2021 by Former user (Deleted)
3 min read

FISMA Controls per NIST SP 800-53 Security Controls

LPP has contracted Plante Moran (http://www.plantemoran.com/) to review all Lincoln Peak’s Standard Operating Procedures (SOP) pertaining to Managed Services to determine required enhancements for FISMA compliance. Specifically, the system is designed to meet FISMA Moderate Risk security controls as specified in the National Institute of Standards and Technology (NIST) Special Publication 800-53Please note, as of April 2018 HPHCI now contracts with GDIT for all PMN development and this section will be updated according to new GDIT policies

Download the Lincoln Peak FISMA compliance letter as a PDF

The following is a list of applicable NIST SP 800-53 controls and a summary of Lincoln Peak’s policies and procedures for each. These descriptions relate to internal LPP SOPs and policies, not those of the querying system. 

Lincoln Peak Standard Operating Procedures per NIST SP 800-53 Security Controls

  1. Lincoln Peak User Access Policy
    1. Provides policy to control who is allowed to access systems and how that access is managed.
  2. Logical Access
    1. New Hires/Terminated Users/Modifications/Contractors
      1. Documentation and verification of all account requests
    2. User Access Review
      1. Periodic review of accounts to eliminate unnecessary accounts
    3. Segregation of Duties
      1. Limiting functional access by role to ensure only properly trained, authorized MSP personnel have access to production equipment.
    4. VPN Access
      1. Policy for issuing and managed dual token SSL based VPN for accessing all systems
    5.  Domain Policies
      1. Active Directory and LDAP policies to control system access
      2. Passwords - 8 character minimum, 100 characters maximum, strong password, quarterly change, enforce history
      3. Lockouts – 5 failed attempts results in locked account requiring administrator intervention
  3. System Security
    1. Server/Network Configuration – security policies
      1. DMZ
        1. Web server and database server firewall configuration to prohibit external access to database servers and limit web server protocols/ ports
    2. Secure Data Transfer
      1. FTP
        1. Limited to behind firewall for authenticated VPN users only
      2. Encryption
        1. All traffic behind traversing firewall is encrypted other than HTTP access to front end web servers by external users
    3. Assessments and Certifications
      1. Penetration Testing
        1. Periodic testing of security
      2. Vulnerability Scanning
        1. Periodic scanning of ports and systems
    4. Authorized Traffic
      1. Firewalls
        1. Firewall rules are created on a server by server basis to restrict inbound traffic to HTTP (port 80) and/or HTTPS (port 443) to web servers. Port 25 is available on request for SMTP. Additional ports are available if required and are documented through Change Management Process. Database servers have no direct inbound web traffic and are not NAT’d. DMZ firewalls limit access to each database server to the associated web server(s).
      2. Anti-Virus
        1. All servers must run NOD32 anti-virus
    5. Physical Access
      1. Third Party SAS70 Review
        1. Type II SAS-70 audit to be performed in Q4 2010.
  4. Written Information Security Policy/Risk Policy – provides policy on high level controls for access and security monitoring as well as  response in the event of an incident
    1. Protecting Data
      1. Both Physical and Electronic data are covered in this SOP.
    2. Security Awareness Training
    3. Incident Response
  5. Business Continuity, Disaster Recovery Plan
    1. Policy and Plans for recovery of services in the event of data corruption/loss, component failure, system failure, site failure, and geographic failure (i.e., Natural disaster).
      1. Data corruption/loss is addressed via backup/recovery policy
      2. Component failure and system failure are addressed by in-device redundancy and overall redundant architecture of infrastructure providing near zero downtime for these conditions
      3. Site failure is addressed via cold site in Phoenix AZ that is FISMA compliant with log ship database replication and web server daily backup and copy to remote SAN allowing 72 hour configuration and recovery RTO and 15 minute RPO.
  6. Change Management Policy
    1. Policy and procedure for reviewing and approving all change to production environment to ensure no unexpected results
    2. Security Impact Analysis
    3. Change requests
    4. QA testing/end user testing
    5. System Backup
    6. Change Approval prior to Implementation
  7. Software Development Life Cycle
  8. Maintenance Policy
    1. Policy for the control of system maintenance such as OS and application patches
    2. Establishes maintenance schedule
    3. Establishes resource and financial budgeting
  9. Vendor Management Policy
    1. Policy for the review, approval, and control of vendors as they pertain to managed services
  10. Resources Policy – Policy and procedure for review and approval of employee and contractor candidates
    1. Candidate screening including background and reference checks.
    2. System security awareness policy/training


Contact Us

PopMedNet Service Desk