As the DoD moves closer to automated security compliance, it is time for contractors to prepare for this change. Contractors should not only be aware of specific security requirements, but also the status of compliance by various agencies along with acceptable tools.
An Easier Transition Guaranteed: Understand NIST 800-171
One of the best ways for contractors to prepare for this new automated world is to become familiar with NIST 800-171. In the NIST 800-171 standard, there are over 100 security requirements, with much of its focus on secure file sharing and information exchange for unclassified information. Per Washington Technology, there is a very high likelihood that NIST 800-171 will come into play when the government publishes final guidance for automated security compliance. So, how are various DoD agencies handling the automation of security compliance?
Snapshot of Current Security Compliance Progress Among the DoD
The NGA has been openly discussing automating their compliance process, aptly named ATO-in-a-Day (ATO stands for “authority to operate” and is a requisite component of federal information systems to be able to put them into service). This process is “designed to influence DevOps tools, processes and governance that are inclusive of information assurance and security.” ATO-in-a Day uses an unclassified platform that “provides 80% of the required security controls.” Currently, there are four main requirements for being able to utilize ATO-in-a-Day. One of the four requirements (number 3) stipulates that the software be built within the NGA DevOps continuous integration (CI) pipeline in Amazon Web Services (AWS).
A component of the DoD’s Threat Reduction Agency, the Joint Improvised-Threat Defeat Organized (JIDO) is currently “accrediting DevOps software stacks on both production and high-side networks.” They are using the RMF (Risk Management Framework) guidelines to accomplish this task.
The Department of Veterans Affairs is working to create an ATO-standardized cloud architecture in support of both AWS and Azure (Microsoft). This task is being conducted using FISMA as a guideline. The hope is to greatly reduce the administrative burden and make the process more efficient along with shortening the time required to receive an ATO award.
With such a push in the DoD world toward automated security compliance, what tools can organizations use to ensure a smooth transition to automated compliance?
Compliance Tools Spotlight: Open Control
For organizations dealing with compliance issues, utilizing automated tools can be the very best solution to the compliance situation. An open source tool called OpenControl provides a “framework and toolkit for representing regulatory compliance standards, certifications, controls and technical components.” This tool is finding acceptance among the government community with many agencies and departments utilizing it to move toward automation.
The process toward automated security compliance continues to evolve in the defense environment. Many agencies are trying to prepare by implementing processes and strategies to meet this requirement. New tools are being utilized, such as OpenControl, to ensure a smooth transition. For DoD contractors, it is best to fully understand NIST 800-171 as there is a “high likelihood” this SP will be the framework when the government publishes official guidance. For the entire DoD community, preparation will be vital to a successful transition to automated security compliance now and in the future.
Does your small business need guidance on how automated security compliance affects your business? If so, contact the security experts at Sentient Digital, Inc.. At Sentient Digital, Inc., we provide our clients with premier cybersecurity consulting services and solutions.