Transcending the Fallout of a Failed CORA with Compliance Automation

When the DoE entrusts you with designing, producing and assembling electrical, mechanical and engineered materials for the nuclear weapons stockpile, it’s critical to adhere to both DoE and DoD cybersecurity standards. So when a lab that contracts to the DoE fails to pass a CORA audit, it’s a big deal. That’s the precarious situation a team found themselves in after their lab’s audit.

The lab provides non-nuclear components for our nation’s nuclear weapons stockpile. They handle highly sensitive, classified information for our national defense and, as a result, are subject to STIG, RMF and CORA requirements.

Labs like these depend on the DoE. The DoE depend on these labs. CORA exists to ensure vulnerabilities in the DoD Information Network (DoDIN) don’t go unchecked. And an unsuccessful CORA means classified data is not fully protected, posing a threat to national security and the lab’s relationship with the DoE.

Understanding the contractual risks of a failed CORA.

The team’s original approach to meeting STIG and RMF requirements was not unusual. They used SCAP to scan their endpoints for vulnerabilities, then manual means to remediate what they found. They kept track of everything on an Excel spreadsheet. They understood the mission and worked hard to achieve it.

Failing to pass is not fatal, but it does put a series of immediate and potential consequences in motion:

• Operations Restrictions: Failing to pass a second time would mean going before the Quarantine Review Board and could result in termination or suspension of the site’s connection to DODIN.
• Mandatory Remediation Plans: This involved overhauling their cybersecurity polices, enhancing employee training approaches and investing in substantial security program improvements.
• Reinspection and Increased Scrutiny: The team had six months to correct issues before they would be reinspected. A second assessment would result in increased scrutiny until they were able to consistently and reliably pass their audits.
• Loss of Contracts: If they didn’t pass their re-assessment, they could potentially lose or disrupt their contract and maybe even other DoE and DoD related contracts.
• Operational Disruption: More intense focus would have to be placed on cybersecurity to prepare for reinspection, putting other initiatives on the back burner.
• Reputational and Financial Damage: If they failed a second CORA, it would damage the trust the DoE has put in them over a 75-year relationship and could even potentially result in civil action for breach of contract.

Putting a force multiplier to work for CORA readiness.

With all those risks in mind, the team started researching other approaches. They considered STIG Viewer in addition to SCAP and Excel, but rejected those approaches because they required too much manpower, were burdensome and tedious and didn’t satisfy risk management in the face of a failed CORA. Without a secure baseline and continuous compliance, preparing for a second CORA in six month’s time using manual means was unrealistic.

The team knew they wanted an automation solution—one that scans, remediates, maintains and reports from a single dashboard. But they didn’t want an intrusive solution or one that completely changed the way they did things.

Ultimately, they chose SteelCloud’s ConfigOS MPO to bring their classified systems into compliance. Other labs in the DoE were using SteelCloud’s automation solution as a force multiplier to significantly reduce the cost, effort and time it takes to conform to STIG, RMF and CORA standards. So they followed suit, knowing that, once implemented, the compliance process is automated, requiring very little human intervention to remain continuously compliant.

Whereas most STIG solutions may automate scanning or simplify reporting, ConfigOS MPO also unifies baseline management for continuous compliance, maintaining a perfect, CORA-ready status at all times. Better yet, ConfigOS MPO operates in any environment, including classified, tactical/weapon systems, air-gapped labs, OT/SCADA environments, and commercial cloud infrastructures.

Saving countless hours and $2.6M per year while achieving steel-clad security.

ConfigOS MPO removes months from the compliance process, enabling the lab to pass their second CORA and regain the confidence of their client. It’s the only unified solution that has been proven across the government’s and DIB’s most sensitive environments for over a decade.

Using ConfigOS MPO helped the team circumvent the potential consequences of an unsuccessful CORA and delivered some very significant benefits in the process:

• Reduced Effort and Time by a 20:3 Ratio: Prior to ConfigOS MPO, engineers were spending an average of 20 hours administering each endpoint in their system over its lifecycle. With automation, that effort is reduced to 3 hours per endpoint.
• Continuous Compliance and Audit-Readiness: By automating scanning, remediation, maintenance and reporting, the lab is now continually compliant and CORA-ready.
• Cost Avoidance of $2.6 M: With ConfigOS MPO the cost of establishing and maintaining STIG, RMF and CORA compliance is $2.6M less per year than what the lab was spending before.

Now, the lab can reduce the number of people they have working on STIGs while significantly improving the security of their systems and freeing up their manpower to address other initiatives like Zero Trust. Even better, the team doesn’t have to sweat CORA audits anymore. In fact, they were so impressed with ConfigOS that they asked the DOE to consider Enterprise Licensing for all of their labs.

SteelCloud’s relationship with the lab is expected to grow to cover their unclassified endpoints as well. ConfigOS MPO is a solution that sells itself once you see it in action. Request a demo today and put any concerns you have about STIG, RMF and CORA compliance to rest. To learn more, read the use case.