Solutions

State and Local Regulations

MISSION POSSIBLE: MORE SECURITY.
MORE COMPLIANCE WITH STATE AND LOCAL REGULATIONS.

Centrify Zero Trust Privilege helps state and local governments in securing access to their ever-expanding attack surface while fulfilling the most stringent state and local compliance mandates. Centrify allows them to control, audit and report on privileged access to sensitive data while reducing complexity and keeping privileged users productive.

Today's Threat and Compliance Challenges

TACKLE YOUR STATE AND LOCAL REGULATIONS WITH CENTRIFY

Regulation/Standard Purpose Centrify's Demonstrable Value-Add
CIS: Critical Security Controls for Effective Cyber Defense by SANS Institute

Recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

Centrify Zero Trust Privilege solutions help state and local agencies address the CIS Critical Security Controls in eight key areas:

  • CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • CSC 5 – Controlled Use of Administrative Privilege
  • CSC 6 – Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 11 – Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • CSC 12 – Boundary Defense
  • CSC 13 – Data Protection
  • CSC 14 – Controlled Access Based on the Need to Know
  • CSC 16 – Account Monitoring and Control

CJIS: Criminal Justice Information Services Security Policy

Security policies for protecting sensitive information like fingerprints and criminal backgrounds gathered by local, state, and federal criminal justice and law enforcement agencies.

Centrify Zero Trust Privilege solutions help state and local agencies address the CJIS Security Policy in the following areas:

  • Policy Area 4 – Auditing and Accountability
  • Policy Area 5 – Access Control
  • Policy Area 6 – Identification and Authentication
  • Policy Area 7 – Configuration Management

FERPA: Family Educational Rights and Privacy Act of 1974

Federal law that protects the privacy of student education records. It applies to all state and local schools that receive funds under an applicable program of the U.S. Department of Education.

Centrify Zero Trust Privilege solutions help state and local schools address FERPA in the following areas:

  • Authentication of Records Requesters
  • Limiting Access to School Officials’ Legitimate Educational Interest
  • Control over Outsourcing Partners
  • Data Security Guidelines in Accordance with NIST SP 800-Series and OMB Standards
FISMA: Federal Information Security Management Act US legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.

Centrify Zero Trust Privilege solutions help state and local agencies address key FISMA provisions recommended in NIST SP 800-53, including sections:

  • AC – Access Control
  • AU – Audit and Accountability
  • CM – Configuration Management
  • IA – Identification and Authentication
HIPAA: Health Insurance Portability and Accountability Act US legislation that provides data privacy and security provisions for safeguarding medical information.

Centrify Zero Trust Privilege solutions help state and local agencies address:

  • HIPAA Technical Safeguards (§ 164.312): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
HITECH: Health Information Technology for Economic and Clinical Health Act US legislation that widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

Centrify Zero Trust Privilege solutions help state and local agencies address HITECH in the following major area:

  • Subtitle D – Privacy, Part 1
  • Subtitle D – Privacy, Part 2
MARS-E: Minimum Acceptable Risk Standards for Exchanges For enrollees of Administering Entities(AEs), MARS-E defines a minimum set of standards for acceptable security risk that the Health Insurance Exchanges must address and aims to facilitate compliance with the myriad of potentially applicable federal requirements under FISMA, HIPAA, HITECH, ACA, Tax Information Safeguarding Requirements, and state requirements.

Centrify Zero Trust Privilege solutions help ACA Administering Entities to address key MARS-E provisions:
Security Controls such as

  • AC- Access Control (i.e., AC-1 Access Control Policy and Procedures, AC-2 Account Management, AC-3 Access Enforcement, AC-5 Separation of Duties, AC-6 Least Privilege, AC-17 Remote Access)
  • AU- Audit and Accountability (i.e., AU-1 Audit and Accountability Policy and Procedures, AU-2 Audit Events, AU-14 Session Audit)
  • CA - Security Assessment and Authorization (i.e., CA-7 Continuous Monitoring)
  • IA - Identification and Authentication (i.e., IA-1 Identification and Authentication Policy and Procedures, IA-2 Identification and Authentication of Organizational Users, IA-10 Adaptive Identification and Authentication)
  • IR – Incident Response (i.e., IR-5 Incident Monitoring, IR-6 Incident Reporting)
  • RA - Risk Assessment (i.e., RA-3 Risk Assessment)

Privacy Controls such as

  • AP - Authority and Purpose (i.e., AP-2 Purpose Specification)
  • AR - Accountability, Audit, and Risk Management (i.e., AR-3 privacy Requirements for Contractors and Service Providers)

FTI Safeguards as required by IRS Publication 1075

NIST Special Publication 800-Series Set of documents (NIST SP 800-53, SP 800-171, SP 800-63) that describe US federal government computer security policies, procedures, and guidelines. In many cases, complying with NIST guidelines and recommendations will help state and local government agencies ensure compliance with other regulations, such as HIPAA and FISMA.

Centrify Zero Trust Privilege solutions help state and local agencies address the NIST SP 800-Series in three key areas:

  • AC-3: Authorized Access Enforcement in Accordance with Applicable Policy
  • AC-5: Separation of Duties through Assigned Information System Access Authorization
  • AC-6: Least Privilege Enforcement: Allow only necessary access for users based on mission functions
  • Audit and Accountability
  • Security Assessment and Authorization
  • Identification and Authentication
  • Incident Response
PCI DSS: Payment Card Industry Data Security Standard Set of security standards designed to ensure that all government agencies that accept, process, store, or transmit credit card information maintain a secure environment.

Centrify Zero Trust Privilege solutions help state and local agencies address six of the major PCI DSS requirements:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 10: Track and monitor all access to network resources and cardholder data
Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies by the IRS Office of Safeguards Safeguards for protecting federal tax returns and return information; aligned with NIST SP 800-53.

Centrify Zero Trust Privilege solutions help state and local agencies address the IRS Publication 1075 in one of the major aspects:

  • Access Control
  • Audit and Accountability
  • Security Assessment and Authorization
  • Identification and Authentication
  • Incident Response

 

Proven Solutions and Expertise

Grappling to increase your compliance posture while minimizing your attack surface? Centrify can help. We deliver Zero Trust Privilege solutions, allowing you to reduce the possibility of access by bad actors while checking off your state and local regulatory mandates.

Trusted by State and Local Governments, Worldwide

There isn’t a regulation that Centrify hasn’t helped us to meet. Today, every time an administrator touches a server, I have a record of it. I can pull up a report, print it and hand it to the auditor.

Peter Manina, IT Specialist and UNIX Systems Architect State of Michigan Department of Technology, Management and Budget

Ready to Protect Against the #1 Attack Vector?

Register for a 30-day trial of Centrify's Privileged Access Management (PAM) software to minimize your attack surface and control privileged access to your hybrid environment.

Free Trial