In addition to our general purpose computing support, the Department of Medicine IT Services also maintains a Federal Information Security Management Act (FISMA) compliant IT system for the purpose of supporting grants and contracts which have higher than average IT security, auditing, and reporting requirements.
Access to our FISMA computing environment requires an account with the Department of Medicine IT Services. For more information about this system, or for other IT security questions please contact the Department of Medicine IT Helpdesk and ask for Lincoln Reedy or Walt Morrison.
What Is FISMA?
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002.
Why is FISMA relevant at UW?
UW Medicine IT (AMC) maintains a computing system that is HIPAA compliant and designed to support the clinical and administrative needs of the UWMC, HMC and its partners. Unfortunately, many current grants and contracts awarded by federal organizations such as the Centers for Disease Control (CDC) or the National Institutes of Health (NIH) require IT security controls that match the requirements of their own organization rather than local organizations. These FISMA controls and policies do not match directly with existing UW Medicine (AMC) or Department of Medicine (Outpost) controls and policies. Therefore, in an effort to support Department of Medicine members whom are accepting a federal contract or grant with FISMA requirements the Department of Medicine IT has developed a private computing environment specific to supporting those needs.
How are the IT Security Controls implemented?
Below is a selection of some controls that have a noticeable impact on day to day use of workstations and resources on the FISMA IT system.
All users that need to interact with the data in the system have to have their own user account with the Department of Medicine IT Services.
User Authentication for the FISMA IT system requires multi-factor Authentication. Standard authentication for normal systems consists of only a username and password (something known only to you), while multi-factor authentication consists of something you know (password) and something you have (security token). The FISMA IT system uses FIPS 140-2 certified Smart Card USB tokens as the "something you have" and the owner of the smart card will assign a private unlock code to the Smart Card. Their private code is then used to unlock the Smart Card USB token during the login process.
For extra guidance regarding the Smart Card USB tokens please see the following documentation:
- FAQs: [coming soon]
- How To Login: [coming soon]
- Changing your PIN: [coming soon]
Data Storage and Transmission
The FISMA system is a high-security environment that is self-contained to prevent accidental and/or malicious access by unauthorized users and/or other systems. All data storage is dedicated to this system to prevent co-mingling with general computing storage.
All data stored on FISMA servers is encrypted in transit. System policy enforces encrypted connections for all file server traffic. Data is backed up regularly according to the required security controls for the purpose of disaster recovery.
The FISMA system requires a dedicated workstation, which must be configured specifically for the FISMA environment. This configuration allows the system to enforce policies on workstations to ensure compliance with FISMA government requirements. Workstations or laptops are restricted to members with FISMA system accounts.
All member workstations and laptops must be encrypted with FIPS 140-2 compliant algorithms.
Computing devices must be physically located in approved campus locations.
Workstation support is limited to Windows 10 compatible devices and must have a Trusted Platform Module (ver 1.2 or newer).
Data stored on FISMA servers must be accessed through workstations or laptops configured for the FISMA IT system. All portable storage devices on FISMA workstations and laptops will be locked down to prevent their use. This includes USB hard drives/flash drives, CD/DVD drives, floppy disks, etc.
Clients with accounts on the FISMA IT system receive support for remote access to secured computing equipment. Remote access tools include a Virtual Private Network (VPN) program and Remote Desktop Gateway.
Prerequisites: When logging in remotely to a secured device from a personal device you will need to have the Smart Card USB driver installed. Legacy clients that are still using YubiKey for login need not install any drivers locally.
- Remote access from Windows devices is possible using the built in Remote Desktop Connection program.
- Remote access from Mac devices requires a special Windows virtual machine and therefore must be scheduled ahead of time.
- Smart Card USB driver: Windows | Mac | Linux
Please contact us for any questions regarding remote access to FISMA resources.
Additional Security Controls
The complete set of IT Security controls for the Department of Medicine’s FISMA environment forms a system security plan for each contract organization (NIH, CDC, etc) and is based on the following security control families from the National Institute of Standards and Technology (NIST) Special Publication 800-53 (Rev 4).
- AC - Access Control
- AU - Audit and Accountability
- AT - Awareness and Training
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PS - Personnel Security
- PE - Physical and Environmental Protection
- PL - Planning
- PM - Program Management
- RA - Risk Assessment
- CA - Security Assessment and Authorization
- SC - System and Communications Protection
- SI - System and Information Integrity
- SA - System and Services Acquisition