How eMASS Automation Unites the Missing Security Compliance Data
eMASS, or the Enterprise Mission Assurance Support Service, was developed by the DoD, in part, as a repository that unites technical/machine data generated from endpoint scans with the human/non-technical data documented by security/IA personnel. Traditionally the “uniting” process is accomplished by completing a STIG Viewer Checklist for each policy for each endpoint.
Understanding the STIG Viewer Checklist Problem
These checklists are traditionally hand-created by pre-populating checklists for each policy with the appropriate non-technical data together with POAM/waiver information. Then security personnel combines the XCCDF output from the system scan (ACAS/SCAP) to create, name, and store the individual checklists for each endpoint. Once completed, the individual checklists that consolidate scan and human data are loaded into eMASS. Keeping eMASS current with the latest security information through this checklist creation and upload process is a challenge, both from a timeline and a personnel resource standpoint, since the process is inherently manual. As one can imagine, consistency, timeliness, and error handling are constant issues in such a human-dependent process.
Unifying eMASS and SIEM Data
eMASS currently supports more advanced ways to ingest information through API or ARF/ASR file interfaces. However, two challenges remain – how to access and integrate the human/non-technical data for eMASS and efficiently create fully-populated checklists required outside of eMASS. Beyond these two challenges, there is a great opportunity also to integrate the combined human/machine security compliance data to feed the organization’s own dashboards. If this collective data feed could be compiled, the organization’s SIEM would represent the whole security compliance picture – not just the partial picture represented by only scan data.
Is It Time for Something New?
Unfortunately, the processing architectures of scan-only products do not afford the DoD with any option to address the requirement to combine security data and create fully-populated STIV Viewer Checklists effectively. Therefore a new solution will need to be invented . . .