Department of Medicine IT

FISMA IT Support

In addition to our general purpose computing support, the Department of Medicine IT Services also maintains a Federal Information Security Management Act (FISMA) compliant IT system for the purpose of supporting grants and contracts which have higher than average IT security, auditing, and reporting requirements.

Access to our FISMA computing environment requires a special account with the Department of Medicine IT Services. For more information about this system, or for other IT security questions please contact our helpdesk and ask for Lincoln Reedy or Walt Morrison.

What Is FISMA?

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002.

Why is FISMA relevant at UW?

Some grants and contracts awarded by state or federal organizations (for example the CDC or NIH) may require IT security controls that are very strict. These controls and policies usually do not match directly with existing UW Medicine (AMC) or Department of Medicine (Outpost) controls and policies. Therefore, a separate stand-alone environment is needed to support those specific requirements.

How are the IT Security Controls implemented?

Below is a selection of some controls that have a noticeable impact on day to day use of workstations and resources on the FISMA IT system.

Identity Authentication

User Authentication for the FISMA IT system requires multi-factor Authentication, which consists of something you know (password) and something you have (security token). The FISMA IT system uses FIPS 140-2 certified Smart Card USB tokens as the “something you have” and the owner of the smart card will assign a private unlock code for the smart card.

For extra guidance regarding the Smart Card USB tokens please see the following documentation:

  • FAQs: [coming soon]
  • How To Login: [coming soon]
  • Changing your PIN: [coming soon]

Data Storage and Transmission

The FISMA system is a high-security environment that is designed to prevent accidental and/or malicious access by unauthorized users. All data storage is dedicated to this system to prevent co-mingling with general computing storage. All data stored on FISMA servers is encrypted on disk and all network connections to the file server traffic are encrypted. Data is backed up regularly according to the required security controls for the purpose of disaster recovery.

Computing Hardware

The FISMA system requires a dedicated desktop or laptop, which must be configured specifically for the FISMA environment. These devices are restricted to members with FISMA system accounts. All member workstations and laptops must be encrypted with FIPS 140-2 compliant algorithms.

Data Access

Data stored on FISMA servers must be accessed through workstations or laptops configured for the FISMA IT system. All portable storage devices on FISMA workstations and laptops will be locked down to prevent their use. This includes USB hard drives/flash drives, CD/DVD drives, floppy disks, etc.

Remote Access

Desktops and laptops for the FISMA system support remote desktop and remote access. Remote access tools include a Virtual Private Network (VPN) program and Remote Desktop Gateway.

Prerequisites: When logging in remotely to a secured device from a personal device you will need to have the Smart Card USB driver installed. Legacy clients that are still using YubiKey for login need not install any drivers locally.

  • Remote access from Windows devices is possible using the built in Remote Desktop Connection program.
  • Remote access is limited to Windows devices.
  • Smart Card USB driver: ePass2003-Setup.zip

Please contact us for any questions regarding remote access to FISMA resources.

Additional Security Controls

The complete set of IT Security controls for the Department of Medicine’s FISMA environment forms a system security plan for each contract organization (NIH, CDC, etc) and is based on the following security control families from the National Institute of Standards and Technology (NIST) Special Publication 800-53 (Rev 4).

  • AC – Access Control
  • AU – Audit and Accountability
  • AT – Awareness and Training
  • CM – Configuration Management
  • CP – Contingency Planning
  • IA – Identification and Authentication
  • IR – Incident Response
  • MA – Maintenance
  • MP – Media Protection
  • PS – Personnel Security
  • PE – Physical and Environmental Protection
  • PL – Planning
  • PM – Program Management
  • RA – Risk Assessment
  • CA – Security Assessment and Authorization
  • SC – System and Communications Protection
  • SI – System and Information Integrity
  • SA – System and Services Acquisition