Compliance is a road to RMF, but it’s only part of the entire road therefore continual modernization is crucial.
Technology modernization seems to be on everyone’s lips (and weighing heavily on everyone’s minds) these days. The good news is that once it’s done, you won’t have to think about it again until the next push for modernization, right?
Unfortunately, that’s how some think that modernization is a one-and-done thing until the next time, and eventually things get woefully outdated. Then you modernize again.
But an organization’s self-improvement should be ongoing. Modernization is as much for your compatibility as it is for your security as it is for your operability. Continual modernization is a cultural shift to an agile approach to technology, responding to needs in real-time. So instead of storing up a budget for that day, you’ll finally modernize everything at once. Modernization funding should be a regular part of your agency’s annual operating budget.
DevSecOps and automation set the groundwork for managing risk.
An essential approach to consider while you are modernizing is DevSecOps. With DevSecOps, application security is baked in during development, making software less vulnerable to attack.
Another fundamental approach is automated vulnerability scanning. Because security controls are embedded within the software, automation enables continuous, real-time vulnerability management and looks at much more than just code. Leveraging DevSecOps and automation together can put you a step ahead in thwarting attackers.
When wrapped in a Zero Trust architecture, all of this can go a long way to mitigating risk. However, zero Trust assumes everyone trying to access your data is dangerous and makes users reverify their identity with each deeper layer of data they access.
It all comes down to reducing risk. Traditionally, that is done by trying to prevent attacks that can wipe out or co-opt the network or data, lowering the probability of attacks, and mitigating the impact of attacks by reducing the vulnerability to damage. Determining capability and probability is challenging, but due to limitations on the resources of time and money, decisions are often made hastily or not at all.
In the world of federal information systems, if that overall risk becomes too high to accept, they shut applications down or don’t let them even get started—they have no authority to operate (ATO), and until they achieve ATO, you need to operate without that technology. Imagine how crippling this can be with a critical application. So, risk management considers vulnerabilities and the impact of those vulnerabilities on ATO those vital technologies being taken offline until they can operate.
Risk management means looking into your supply chain.
Part of the process of providing evidence of software supply chain security is self-attestation. Any agency procuring software needs to have self-attestation from the software developers stating that the development followed NIST’s standards for security procedures. According to NIST guidelines, attestation should focus more on ongoing practices that on specific pieces of software design.
But we need to get to a better place than just self-attestation. We should also be looking at the risk. Are the company’s people a risk? Is the data they are handling high or low risk? With those in the DoD supply chain, Cybersecurity Maturity Model Certification (CMMC) can help define levels of compliance based on the type of government data you handle. Companies with more risk exposure will have third-party assessments for added assurance.
Risk management is different from compliance.
Regarding cybersecurity, risk and compliance are two different things and impact security differently. So, what is risk? Risk is the magnitude of the bad thing, or destructive power, multiplied by the likelihood or probability of it happening. Measuring risk involves much mental calculus, weighing different variables in the context of your organization and current conditions. Risk is a broad, multi-faceted topic.
Compliance is a subset of risk. If risk is like calculus, compliance is more like multiplication. Compliance has a specific process for implementing your custom code and configuration, like multiplication charts on a particular outcome. The structured, repetitive, manually demanding requirements of the act of compliance make it a perfect candidate for automation.
Information Systems Security Officers (ISSOs) and others realize the overwhelming challenges of risk and compliance and look to manage risk effectively to control the threat and prevent or mitigate bad outcomes. While managing risk is more complex than checklist compliance concerning cybersecurity regulations, experts say risk management produces more accurate and secure results.
Cloud providers must receive FedRAMP certification. For terrestrial applications and systems, it’s the Risk Management Framework, or RMF accreditation. The criteria for these compliance standards are continually changing because information system operations, applications, developments, and threats keep changing. In addition, to align with RMF, you must comply with STIG and CIS mandates. So, compliance is a road to RMF, but it’s only part of the entire road.
Giving risk and compliance their due time.
As one decorated Colonel in Air Force Intelligence told us in the Pentagon the day after the San Bernardino terrorist attack, “We’re spending 80% of our time aggregating information and only 20% of our time analyzing it. That needs to be the other way around.”
When applied to the risk vs. compliance situation, we spend far too much time on rote procedures—compliance—and too little time exploring the whys behind the vulnerabilities that may put us at risk in the future. Instead we can shift the equation by using solutions like SteelCloud’s ConfigOS to automate scanning and remediation, then use the time automation saves for our cybersecurity team to manage risk.
Technology modernization’s biggest challenge is not time or money or staff. It’s how you allocate your time, money, and staff. Automation can do much of work for you, leaving opportunities for strategic analysis, continual improvement and, frankly, just breathing so you have the chance to think. SteelCloud is here to help you better manage compliance, risk, workforce shortages and budgets using automation. Contact us if you need assistance.
