MŌDERAS

Moderas was approached by an institute that had to determine if KC could meet both their FISMA and FIPS compliance requirements. Compliance is a terms that most research administrators would associate with human subjects, lab animals or possibly even reporting requirements so this was a somewhat unusual request. Luckily for them Moderas has staff that has familiarity with NIST and complying with their standards.

The problem facing them was that they work closely with the U.S. government and wanted to use Kuali Coeus to track their research efforts. To do this they needed to determine if it could comply with these requirements and if in fact they needed to.

FISMA or The Federal Information Security Management Act of 2002 recognizes the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Luckily for the client FISMA applies to Federal Agencies so they are not required to comply with the extreme level of documentation and testing necessary to meet this standard. Staff from the agency would not be interacting directly with the system, the data would be updated and stored by the client  It is possible that the client might need to provide rudimentary information about their system so the agency could catalog it in their "Inventory of Information Systems"  but this would be a determination they would need to come to collectively.

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. Government computer security standard used to accredit cryptographic modules to secure sensitive data. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. 

The client was required to be FIPS 140-2 compliant because they would be storing and sharing sensitive data that they would be collecting in relation to their work with the agency. Generally speaking FIPS 140-2 deals with securing the process of collecting, storing, transferring, sharing and disseminating data.  Those functions can be put in two distinct groups, storage is the first and collecting, sharing, disseminating the second since those functions are all forms of sharing data.

For storage, there are solutions that are as simple as purchasing FIPS 140-2 certified hard drives such as this example http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_7200_fde_fips_140_2/. There are also software solutions that can encrypt the data pragmatically.  The important thing to point out was that there was no need to go through the tremendously expensive process of having a home grown solution rigorously tested to assure it is NIST compliant.  The best course of action it to purchase a solution that has already been accredited for storage to meet those requirements.

The second bucket covers collection, transfer, sharing, and dissemination of data. Kuali Coeus utilizes OpenSSL which is FIPS certified.  Currently only the Grants.Gov submission uses ssl and assuming the only sensitive data shared is through this mechanism the application is compliant. Should data be shared through other means (data entry forms, reports, etc.)  there would be some development work necessary to assure that any pages that present sensitive data utilize OpenSSL. 

In summation with the purchase of a hardware or software solution to encrypt the data, using OpenSSL for any pages that present data, and likely assurances that they would provide information to the agency they client felt comfortable moving forward with their goal of implementing Kuali Coeus.