Warfighters, C2ISR Systems and STIG Compliance
Among the agencies and organizations that are required to implement Security Technical Implementation Guides (STIGs) to protect their systems and endpoints, the primary objectives are to protect data and system availability. The stakes rise, however, when those protections have a direct and immediate impact on the lives of warfighters on our front lines.
The Air Force’s Command & Control, Intelligence, Surveillance and Reconnaissance (C2ISR) cybersecurity team protects and maintains a wide variety of systems for collecting, processing and disseminating intelligence. Securing these systems and keeping them up to date is critical to the safety of both the end users, as well as the military as a whole because national security leaders and military commanders will make decisions based on the data the end users collect. That data is highly sensitive and protecting its availability, accuracy and classified status is paramount.
Time is of the essence when it comes to cybersecurity.
Even in fully STIGged environments with Zero Trust instituted, the moment a new vulnerability is detected, a software update is released or changes are otherwise made to hardware or software, a system is at risk. So getting updates implemented and secured in a timely manner is vital. Not only do you want to harden vulnerabilities, you also want users to have the newest, most secure versions of their tools and weapons.
For the C2ISR team, it took anywhere from two weeks to a month to STIG endpoints and systems each time a new product or STIG update was released. Frequently, the team was found working nights and weekends to speed that timeline along but kept getting bogged down manually implementing STIGs control-by-control and fixing everything the STIGs broke.
Trusting something other than manual STIGging.
Cybersecurity professionals—especially those in the DoD—are paid not to trust anyone or anything. But there’s also a critical need to speed timelines, reduce costs and have a work/life balance. So, with that in mind, the Air Force agreed to see a demo of ConfigOS, the leading STIG compliance automation solution in the DoD. After the demo, they decided to give it a try.
With the first use, ConfigOS did all the work in two days—not the two-to-four weeks it normally took. Not trusting those results, AF C2ISR took the time to double check all the work manually. It was 100% accurate.
The team also tested ConfigOS’s rollback feature that can return you to previous versions of your process when the STIGs break an app. They found that, rather than research hundreds of STIGs one-by-one to find the broken one as they did before, they could apply multiple STIGs to their rollback data at once to eliminate suspects in batches. This feature, alone, saved countless, mind-numbing hours for the team.
From there, ConfigOS quickly gained the confidence of the C2ISR cybersecurity team. They found they could push a button and get immaculate, error-free results every time. And they also learned that ConfigOS did the heavy lifting at each phase of the compliance process, from downloading STIG updates and determining which STIGs apply to scanning, remediation and reporting. They could even customize their STIG settings and exceptions.
“We went from two plus weeks of manual hardening with STIGs to just two days with ConfigOS,” says Ashful Williams, Air Force ISSM, C2ISR. “We were so blown away that we thought the software was giving us false positives. But, no, the product just works that great.”
Fulfilling the mission faster with automation.
The C2ISR team has embraced ConfigOS as an important part of the team. It shaves weeks off their delivery schedule, saves the program money, delivers error-free results, relieves compliance headaches and gives the team their evenings and weekends back.
“Security is paramount when it comes to the military,” states Williams. “As a Marine veteran and cybersecurity professional, nothing is more important in my job than protecting our warfighters and making sure we deliver safe and secure products to the front lines. I could talk all day about how SteelCloud’s automation helps us do that faster and more accurately than ever before.”
To see the demo that convinced a hardened cybersecurity expert and Marine veteran to automate STIG compliance, schedule it today and see how SteelCloud makes the hard things easy.
To read more about this use case, please visit the Customer Success Story.