Leaving SCAP Behind for a Unified Automation Solution

Open-source STIG tools like DISA’s SCAP are a popular choice because they can automate scanning and relieve some of the effort involved in STIG compliance. But once agencies use these types of tools for a while, they all seem to come to the same conclusions—the tools don’t remediate, they leave little room for customization and they lack reporting features that are key to the auditing process. There has to be a better way.

That’s where a key Department of Energy (DoE) facility landed after using SCAP for a while. These types of DoE sites may steward our nuclear stockpile, conduct national security research, provide nuclear emergency response training or manage environmental impacts. With the sensitive nature of those types of missions, they are required to protect their enterprise with the federal government’s strictest and most comprehensive cybersecurity framework, Security Technical Implementation Guides (STIGs).

Seeking a solution that offers long-term, dependable relief from compliance headaches

STIGs are not only mandated for these kinds of facilities, but they are also subject to the auditing process. So, it’s critical the approach to compliance is both manageable and robust to ensure the security posture of systems operating within the DoE.

The team had been using SCAP to scan for vulnerabilities and then they used manual means for remediation. This approach made tailoring the standardized STIGs to align with the specific DoE operational requirements difficult, requiring significant manual effort. Overall, SCAP lacked the intuitive functionality and comprehensive reporting capabilities required for efficient compliance management, leading to prolonged remediation cycles and potential audit delays.

So, they started investigating alternatives. There are very few solutions available in the space. The open-source alternatives the team explored all required significant manual intervention, extensive configuration and dedicated internal resources. It was time to move away from all that.

Transforming the compliance process with ConfigOS MPO

After much consideration, the team decided they wanted a solution with the capability to consistently deliver:

• An efficient and accurate method to tailor STIGs to DoE requirements
• Simplified compliance that reduces the amount of manual effort needed
• The visibility to maintain an enterprise-specific understanding of their current security posture
• An agent-based architecture that accommodates a virtual and hybrid workforce
• A uniform security posture across teams and systems
• Automated remediation to ease the burden for initial compliance and quarterly updates
• Effortless continuous compliance and consistency throughout the enterprise
• Support with generating reports for reviews and audits
• Superior customer service and responsive account management

It was a big wish list. But after an exhaustive search, they chose the only unified compliance automation solution proven for STIGs in some of the most sensitive corners of the DoE and DoD—ConfigOS MPO.

Discovering the many advantages of a unified STIG automation solution

A unified compliance automation solution like ConfigOS MPO automates the entire compliance process, not just a part of it. It scans, remediates, manages and reports, all from a single, integrated, purpose-built solution. Because each part of the solution was built with the entire process in mind, it delivers superior functionality and compliance in comparison to using disparate automation tools.

According to the team’s Information System Security Manager, “the core differentiators that solidified our decision to partner with SteelCloud were the advanced tailoring capabilities of ConfigOS and its agent-based architecture, which provides robust and flexible security management.” He goes on to add, “the exemplary customer support and proactive responsiveness to feature requests and software enhancements were key messaging points that significantly contributed to closing the deal.”

ConfigOS MPO’s agent-based architecture automatically scans and remediates each virtual and remote endpoint as it comes online and accesses the network. No more concerns about the timing of scans and updates. And once policy is set and customized, that functionality is effortlessly repeatable and automated across all 6300 licensed endpoints across the team’s enterprise.

Reducing effort and costs by more than 70% while improving compliance

The STIG automation world is full of unfulfilled promises. But that’s not what this team found with ConfigOS MPO. Instead, they enjoyed immediate and measurable results:

• 75% Reduction in Effort: It used to take staff 32 hours each year to maintain a single endpoint. With ConfigOS MPO, it takes 8 hours per endpoint per year.
• 70% Reduction in Overall Costs: With 6300 licensed endpoints, the site realized a total cost avoidance with ConfigOS in excess of $7.8M. That’s a reduction of 70% in terms of manpower and tool costs —year over year!
• 70% Reduction in Costs to Maintain STIG Compliance: Yearly maintenance costs are reduced across the board due to reduced effort and tool costs.

The team has also received qualitative benefits from ConfigOS MPO. As their ISSM observes, “the substantial time savings achieved through streamlined STIG tailoring and remediation allowed us to reallocate valuable hours towards core mission-critical activities, significantly enhancing operational efficiency and reducing resource drain on compliance-related tasks.” In addition to that, they also reported:

• Improved security posture and audit-readiness overall
• Enhanced ability to customize STIGs specific to their environment
• Improved allocation with continuous monitoring/compliance automation in place
• Improved reporting with the solution capturing all the data needed for reviews and audits
• Improved customer service and responsiveness to needs and requests

Seeing is believing. Experience ConfigOS MPO first hand.

ConfigOS MPO’s unified automation makes every part of the compliance process go smoother. It has been proven over years of use in tactical, air-gapped, cloud, classified, remote, on-prem and other challenging environments. It is the primary unified automation solution used for STIG compliance in sensitive DoD and DoE applications by a large margin.

SteelCloud understands STIG compliance like nobody else. We know promises are made and not kept. We know solutions out there aren’t well supported. And we are aware of the shortcomings of open-source tools.

Moreover, we get that saying we can reduce costs and effort by more than 70% and deliver better results in return is worthy of skepticism. Which is why we offer free demos of ConfigOS MPO. Schedule yours today and see how unified automation can transform your compliance results.