FedRAMP; NIST 800-53; FIPS 140-2, 199, and 200; and FISMA

Vormetric Data Security Solutions

NIST 800-53 Rev 4 Security Controls

Beginning on 5 June 2014 federal agencies are required to meet new standards for use of cloud computing under the FedRAMP initiative. With the combination of the push to cloud computing and with federal data breaches of PII now 2.5X higher than in 2009, agencies now more than ever need to think about how to meet internal data security standards, as well as the extended security controls required for use of cloud computing resources.

The NIST 800-53 publication is the most critical document for this. The NIST 800-53 publication details security controls for Federal information systems as required by the FIPS 200 publication, and was recently updated to revision 4 to detail the extend the security controls required for agency use of cloud computing under FedRAMP. FIPS 200 supports the FISMA Act of 2002 requiring Federal agencies to implement and document information security programs.

Focused on protecting data-at-rest, Vormetric enables US government agencies to implement and sustain compliance with these requirements with data protection controls, as well as training and awareness related to the solution. In support of these initiatives, the Vormetric’s Data Security Management is available as a FIPS 140-2 Level 2 or Level 3 validated appliance. The Data Security Manager appliance is also in Common Criteria evaluation.

Core capabilities that support the NIST 800-53 revision 4 include:

  • Encryption and Key Management: Strong, centrally managed, file, volume and application encryption combined with simple, centralized key management that is transparent to processes, applications and users.
  • Access Policies and Privileged User Controls: Restrict access to encrypted data – permitting data to be decrypted only for authorized users and applications, while allowing privileged users to perform IT operations without ability to see protected information.
  • Security Intelligence: Logs that capture access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution and for compliance reporting.

For a full look at how Vormetric solutions map to NIST 800-53 requirements, see our Vormetric NIST 800-53 Mapping white paper with detailed mapping of security controls to Vormetric features here, and listed below is an overview of security control family requirements for Vormetric solutions.

Overview - Vormetric Transparent Encryption & NIST 800-53 revision 4
Security Control Family Compliance Baseline Vormetric
Access Controls(AC) • Access Controls(AC)
• Account Management
• Separation of Duties
• Least Privilege
Through the use of kernel level agents providing AES 256 encryption, Vormetric Transparent Encryption exceeds and augments current access control solutions at the file, directory, drive, or target level at the Operating System and provides Least Privilege.
Awareness and Training(AT) • Training Policies
• Security Awareness Training
• Role Based Security Training
Vormetric Professional Services makes available both, personal and online, training options to educated staff on use of the solution. Vormetric solutions have few administrative requirements, and the available training covers tasks and responsibilities for each desired/deployed role, with appropriate documentation.
Audit and Accountability(AU) • Audit Events
• Content
• Response
• Capacity
• Non-Repudiation
• Report Generation
Vormetric Transparent Encryption provides full audit data at the Vormetric Data Security Manager appliance and at host agents in an open format and can integrate with a program or agency’s audit reduction tool or SIEM solution.
Security Assessment and Authorization(CA) • System Interconnects
• Plan of Action and Milestones
• Continuous Monitoring
Vormetric Transparent Encryption can be tested as a part of an Information System. The agents are installed on operating systems that undergo security hardening and STIG configurations. The Data Security Manager is FIPS 140-2 Level 2 or Level 3 Compliant depending upon configuration.
Configuration Management(CM) • Baseline Configuration
• Change Control
• Security Impact Analysis
• Least Functionality
The configuration of the Vormetric DSM can be changed to match operational requirements for access control and encryption at rest, and can be saved, backed up, and added to a CMDB in order to track changes over time.
Contingency Planning(CP) • Contingency Plan
• Contingency Testing
The Vormetric DSM component can operate in a clustered environment in active or standby mode, and can be added to a program’s COOP/DR strategy.
Identification and Authentication(IA) • Organizational Users
• Device Login
• Authentication Management
• Crytpographic Module
• Incident Handling
Identification is provided through local web GUI login or Active Directory/LDAP Integration at the Data Security Manager appliance. Authentication is provided through the use of kernel level system access to files, folders, and applications.
Incident Response(IR) • Incident Response Testing
• Training
• Handling
• Monitoring
The Vormetric Data Security Platform processes incidents at the individual component level (host system, web GUI, DSM). These incidents and audit events are in an open syslog format that can be sent to an information system’s monitoring/reporting tool, including 3rd party SIEM solutions. Log file formats can be tailored to match a program’s security policy for user and application behavior.
Maintenance(MA) • Controlled Maintenance
• Tools
As a part of the FIPS 140-2 certification, the Vormetric Data Security Manager is tamper resistant. Additionally, maintenance and audit sessions can be separated by domain and by administrator login.
Media Protection(MP) • Media Access
• Media Marking
• Storage Transport
As a part of the FIPS 140-2 level 3 compliance evaluation the Vormetric Data Security Manager has the ability to be zeroized at the appliance console.
Physical and Environmental Protection(PE) • Access Authorizations
• Control
• Transmission
The Vormetric Data Security Management appliance used as a component of the solution is available as 17”x17”x3” hardware device and can be secured in a lockable data center rack enclosure.
Planning(PL) • Security Architecture
• Concept of Operations
Vormetric Transparent Encryption provides fine-grained access policies and AES-256 encryption that can be used to limit privileged user access and implement least-privilege principles for users authorized for access to sensitive data.
Personnel Security(PS) • Personnel Termination and Transfer The Vormetric Transparent Encryption Solution should be operated by personnel at the appropriate level of clearance and information system access. Administrative group links to LDAP compatible Directory Services solutions.
System and Services Acquisition(SA) • Allocation of Resources
• System Development Life Cycle
System Components of the Vormetric Data Security Manager are assembled in the US at the corporate headquarters in San Jose, CA. The DSM is FIPS 140-2 Level 3 certified when the optional Hardware Security Module (HSM) is installed, and FIPS 140-2 Level 2 certified without the HSM.
Systems and Communications Protection(SC) • Application Partitioning
• Security Function Isolation
• Confidentiality and Integrity
• Cryptographic Key Management
• Platform Agnosticism
As a part of the Vormetric Transparent Encryption solution, AES-256 encryption keys are passed through an encrypted wrapper. The Administrator Web Interface is accessed through HTTPS. Agent to DSM communication is accomplished through the use of ephemeral ports and is encrypted using Suite B algorithms.
Systems and Information Integrity(SI) • Security Alerts and Advisories
• Software and Information Integrity
System Integrity on the Data Security Manager Appliance is satisfied through the DSM’s FIPS 140-2 validation. Host agents installed on an Information System’s server provide encryption at rest capabilities to enhance system integrity.


Vormetric NIST800-53 Mapping

Detailed Mapping of Vormetric Data Security Platform Controls to NIST 800-53 Requirements

Download >>


Government Data Security Issues and Solutions Report

Vormetric on cybersecurity

By: - www.FCW.com Federal
Computer Week Results of an FCW survey of DOD, civilian, state and local agency business and IT decision makers about data security...

Download >>


 Vormetric Data Security allowed us to go beyond check the-box compliance by providing strong data-level controls and centralized key management. 

Dean Fenton
Director of InformationTechnology
Classified Ventures


Encryption Architecture

Vormetric FedRAMP / NIST 800-53 Requirements Mapping

Download >>

The Vormetric Digital Digest on Data Security

Customer and Partner Success

  • Rackspace Cloud Partners
  • McKesson
  • AWS
  • Google Compute Engine
  • Microsoft
  • IBM
  • CenturyLink
  • QTS
  • Teleperformance Secures
  • Delta Dental