#Firmware security is often overlooked, not by choice, but due to a lack of tools to automate the work. Comply with #FISMA and build a stronger #cybersecurity program by learning the requirements here.

From the article:

The Federal Information Security Management Act (FISMA) defines the information security requirements for all federal agencies. It extends across the lifecycle of a security program from planning, implementation, and ongoing administration of a security program. And in addition to covering all federal agencies, it also applies to any contractors, any entities that handle federal  information, and even state agencies that administer federal funds.

FISMA is also quite different from many other regulatory security standards. Notably, the FISMA security controls clearly and repeatedly establish firmware security as being in scope. This is not surprising given that firmware implants and other firmware threats have long been a favorite tool for nation-state attackers who would naturally target federal information systems. This has become an even higher priority as firmware-based threats have recently spread to large-scale network-based and malware-based campaigns. Likewise supply-chain security has become a top priority for NIST, DoD, and many others both inside and outside of the government sector.

However, firmware security has often been challenging for many organizations. Historically it has been time-consuming, required specialized and rare security skills, and teams often lacked the tools to automate the work. Fortunately, new tools and innovations are changing the situation for the better. In this paper, we will take a closer look at some of the FISMA requirements, how they relate to firmware security, and specific steps you can take to bolster your security programs.

This document highlights some of the many areas where firmware security can play an important role in FISMA compliance and the overarching goal of protecting an agency’s mission. Of course the prioritization of firmware security will vary from organization to organization. However, in the past, firmware security was often overlooked not by choice, but due to a lack of tools to automate the work. We believe that through our work at Eclypsium as well as others in the industry, this is changing. The recommendations in the document should in no way be considered exhaustive, but rather to highlight some of the common areas where firmware security can provide immediate value. If you have any questions or concerns related to topics in this document, please contact the Eclypsium team at info[]eclypsium.com.