NIST 800-53 Security Controls

Hello Experts,

I am in the planning stages to build a "target" environment that meets FISMA compliance regulations.  I have plotted and designed the target equipment costing and the Gap Analysis/Risk assessment; however I was curious as to what controls I should consider looking at.

My environment will be private (no public facing access), with 2 IIS boxes, 1 SQL box, 1 AD box, 1 Barracuda backup box, and a XenServer to host 30 XenDesktop machines.

I have been looking into LogRhythm for SIEM, TrendMicro for Endpoints, Tripwire for Integrity, SAINT for Vulnerability Scanning, and ScriptLogic for AD controls/reporting.

Obviously there is no "magic bullet" that will cover ALL of the controls.  My goal is to cover as many security controls that I can with as few vendors as possible.  

Are there any other recommendations or other controls that I should be looking at?
Who is Participating?
For FISMA compliance, 800-53a is a great place to start.  The SRTM controls are pulled directly from NIST documentation.
You may also want to look at FIPS 140-2 for encryption requirements.

May I also recommend looking at Nessus for vulnerability scanning, they have FISMA templates that you can use.  The ProfessionalFeed is very affordable.  Also, we use LogRhythm and we are very satisfied with it....  it has great reporting options and many templates to choose from regarding compliance.  

The SANS Consensus Audit Guidelines (CAG) would also be a good resource for you to browse.

If you happen to host any Window OS Desktops in the future, you will want to look at FDCC documentation as well.
LR_BrianAuthor Commented:
Thanks for the recommendations.

I will accept you above response as solution.

Do you also use FIM with LogRhythm?  I'm curious to how well they do with it.
Yes, we do on our web servers.   It does a pretty good job, sometimes it will report modifications, but we think that is because the AV touches the files....  something we need to take up with support.  It doesn't happen all the time.  One thing I do like about the product is if you have a certain application logs that LogRhythm doesn't have a format for, you can submit that to support and they will try to get it out in the next release.  They actually did that for Hyper-V faster than I thought they would.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.