Does Splunk ESS include coverage for FISMA compliancy? And if so, what specifically within the ESS suite is specific for FISMA requirements, if anything?
Please be aware SANS.org's Critical Security Controls are only tangentially related to FISMA. CSC maps to a limited subset of NIST SP 800-53 controls but is not FISMA compliance itself. To satisfy FISMA security controls refer to the current FISMA security control catalog document, NIST SP 800-53 Revision 3.
I have no experience with ESS but if it provides governance support for ISO 27001 controls this can be the basis of some FISMA compliance support as NIST SP 800-53r3 controls have mappings to ISO 27001 Annex A (see Appendix H of SP 800-53r3).
New releases of NIST FISMA guidance have refocused efforts on all aspects of Continuous Monitoring. ESS is well positioned to provide extensive support for this compliance goal. This new guidance is developed with the Joint Task Force Transformation Initiative, creating a Unified Information Security Framework that will be applied not only to systems covered by FISMA but also systems in the Intelligence Community and DoD.
First of all, please be aware that SANS.ORG has embraced the top 20 Critical FISMA controls put forth by NIST....
(See this page regarding that topic:) http://www.sans.org/critical-security-controls/
...and Splunk has been certified by SANS.ORG as a vetted tool for Top 20 Critical Control #6 http://www.sans.org/critical-security-controls/user-tools.php
...and here are all of the specific 8500-53 controls regarding TTCC #6 listed (scroll down a little on this page) http://www.sans.org/critical-security-controls/control.php?id=6
Knowing this, technically, Splunk is certified for FISMA Top 20 Critical Control #6, and also provides the capability to tie in and integrate other actions into the adjacent FISMA controls (i.e. Splunk cannot synchronize your server clock, but it CAN trigger a script to sync them when it sees a time offset difference, thus providing a compensating control around clock syncing)
Also, I think the current ISO Goverance section of ESS can be enhanced to include a FISMA-specific module that can help with that integration into some of the other FISMA Top 20 Critical Controls as well. (Imagine a FISMA fly-out menu with specific searches, reports, or alerts related to FISMA.) This may be something that Splunk professional services could probably scope out and add to ESS too, if that makes it easier.
Additionally, we may be looking into creating a FISMA-specific module as part of the core ESS App. No ETA yet that I am aware of, but customer's are starting to drive us that way for sure.
All in all, I think no one product can cover all of FISMA requirements, but Splunk has the best starting point (i.e. core Splunk + ESS App) and potential to specialize as you need, for FISMA or any other type of compliancy you are considering Splunk for.
I'm not the person that can really answer if it WOULD be separate or part of ESS Suite or not, but I imagine, technically, it could be either or both. A separate App OR just another menu item with ESS called FISMA Controls, or something like that, where you go select to go the FISMA-related dashboards and/or form searches, etc.
Would the FISMA module be created separately from the ESS Suite?