As architects working on federal projects we spend a ton of time on security practices and FISMA compliance. Implementing FISMA guidelines involves lots of manual tracking of dozens of steps and checks across various groups. I was pleased to run across OpenFISMA recently because it helps automate some of the manual steps in FISMA compliance by using a LAMP-based application to manage the process. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation. Here’s the description of the tool from their website:
The OpenFISMA project is an open source application designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
OpenFISMA also contains a catalog of all NIST SP 800-53 Rev. 2 controls built-in. Findings in OpenFISMA can be matched against these security controls to provide supplemental information for remediation and planning. The catalog includes descriptions of the controls, scoping, and supplemental guidance.