Automating Continuous Compliance Makes CORA Readiness Achievable.
Now that DISA has moved from the Command Cyber Readiness Inspection (CCRI) to the Cyber Operational Readiness Assessment (CORA), it’s important to know the differences and mindsets that have also changed along with the name.
Chief among them is a shift from CCRI’s inspection compliance position to CORA’s operational readiness posture. This means that DoD agencies are no longer “preparing for an inspection”, but instead maintaining proactive, continual cybersecurity compliance. In other words, “whoa, Nelly, that’s a lot of work!” Which is one of the reasons why automation is key for moving forward in DoD cybersecurity compliance.
Continuous cybersecurity compliance is a key aim of CORA.
Continuous compliance isn’t a new topic in the cybersecurity compliance world. There are even solutions that address continuous compliance in environments where remote and hybrid workers make the landscape more complex. In fact, it’s one of the recommendations in SteelCloud’s Top 10 Security Tips for National Cybersecurity Month. Additionally, continuous authority to operate (cATO) has been a topic in the DoD for years. But with the shift to CORA, DoD leaders are increasingly seeing continuous compliance as a requisite element of readiness and critical decision-making— online, behind the scenes and on the front lines.
At AFCEA TechNet Cyber 2024, Lt. Gen. Robert Skinner, then-director of DISA and JFHQ-DODIN commander, set the tone. “The end goal is having continuous assessments and continuous monitoring of those critical capabilities within those critical assets, to really give you a day-to-day understanding,” he said in his keynote address. Ultimately, CORA could reach the point where continuous assessments are conducted in the background without interrupting an employee’s normal workday.
Nicholas DePatto, inspections branch chief at JFHQ-DODIN, breaks it down like this: “Imagine an assessment that happens without you even knowing you’re being assessed,” he said. “Computers come in, they do everything behind the scenes, and then they report to you or your commander saying, ‘Here’s what you did. Here’s how you guys are doing,’ and it’s continuous. So, you continuously figure out where your weak points are and continuously see how to improve. And it’s not a prep, assess, prep, assess.”
Automation makes continuous cybersecurity compliance possible for CORA and beyond.
Continuous compliance is not just a goal for CORA, it’s key to your overall cybersecurity posture. It means you are continuously STIG compliant, hardening new vulnerabilities as risks emerge. It supports cATO and shortens the timeline for deploying new software and weapons systems. And it’s incredibly frustrating for bad actors who know they are just one overlooked vulnerability away from creating chaos.
Solutions exist today for helping you achieve continuous baseline compliance, the primary and most time-consuming element of a CORA assessment, using the team you already have. STIG compliance is the big fish in the CORA game, enabling your team the time and brainpower to further reinforce your system with initiatives like Zero Trust and DevSecOps. Much of the DoD uses SteelCloud’s ConfigOS to achieve those ends. To learn more about how that is done, you can request a demo or stay tuned for our next article where we will tackle that subject.