Automating Account Reconciliation to Mitigate Compliance Risk
Automating Compliance: Architecting for FedRAMPHIGH and … · 2018-10-03 · Automating...
Transcript of Automating Compliance: Architecting for FedRAMPHIGH and … · 2018-10-03 · Automating...
Automating Compliance: Architecting for FedRAMP HIGH
and NIST Workloads
Steve Horvath, VP Strategy & Vision
For the last 20 years, we’ve focused on…
Cyber Security Secure Mobility Identity Management✦Conduct assessments for and defend the
most attacked networks in the world
✦Launched the first commercial web-based application to automate risk management and security compliance; today, the dominant provider to the U.S. government
✦Xacta solution is the database of record for the U.S Intelligence Community
✦Provided the largest deployment of enterprise wireless LANs to the U.S. Department of Defense
✦Designed, installed and deployed secure mobility solutions for U.S. Air Force, Air Guard, Army, Army Guard, and DISA
✦Chosen by DISA to design, implement and sustain an integrated enterprise campus Wi-Fi, guest access, and mobile device management capability
✦Designed specialized deployable secure mobility solutions for U.S. Air Force and Army requirements
✦Integrator of record for the largest identity management application in the U.S. federal government
✦Assure the identity of more than 10 million personnel in U.S. armed forces and related personnel worldwide
✦Authorized by the FBI to provide real-time identity background checks
✦Identity vetting application deployed at over 60 airports and airlines across the U.S.
Select Telos Customers
Our Solution – Orchestration & Automation of Risk Management
• In 2001, Xacta was purpose built to streamline Risk Management and Compliance processes in 2001.
• In 2005, we created our continuous monitoring product to provide ongoing validation of an Enterprise or program’s risk posture.
• In 2012, we bolstered our ability to automatically generate Body of Evidence and Audit Report documentation with our Advanced Inheritance Model and System of Systems.
• In 2017, we brought the same ongoing validation of risk management functionality to AWS infrastructure by adding AWS API calls directly from Xacta 360.
• This year, we’re working with AWS Compliance to make provider projects available for popular AWS Services.
Xacta Product Suite
How can we reduce the number of controls?
• NIST SP 800-53 Rev 4 total number of controls & enhancements: 965
• The standard NIST baselines before tailoring or overlays:
High - 357 Applicable Controls
Moderate - 277 Applicable Controls
Low - 140 Applicable Controls
Provider projects as a force multiplier (an example)
You can reduce the number of necessary IA controls by:1. Attempting to tailor some out (negotiate with
risk/security organization)2. Inheriting Common Controls and Shared Controls
Common Controls: The enterprise approves a group or individual to be responsible for a control and allows it to be provided to others
Hybrid or Shared Controls: The enterprise allows a control to be provided, but a portion of the control still must be met by the consumer or system
Provider Project:Owner flags data that
is inheritable.
Receiver Projects inherit appropriate content from Provider Projects
Receiver Project:Owner chooses to
inherit data.
Provider Projects: Overview
• AWS-owned projects that have been pre-vetted for compliance with the relevant controls
• A reference library for use in C2S, SC2S, and FedRAMP environments
• Allow AWS customers to dynamically link receiver projects to appropriate AWS Services
Receiver projects inherit provider project profiles to reduce the manual effort of the A&A process
Inheritable:• Control Implementation• Test Results
Risk Results• POAM indicators
IAControl
ProviderProject
RiskElement
POAMElements
ArtifactsandDocuments
Risk
POAM
Artifacts
PrivateImplementation
PublicImplementation
IAControl
ReceiverProject
TestResults(InheritedStatus+Local)
RiskElement(InheritedStatus+Local)
POAMElements(LocalOnly)
ArtifactsandDocuments(LocalOnly)
Test
Risk
POAM
Artifacts
LocalControlImplementation
Inherited/SharedImplementationOnlypublicimplementationissharedandwillbecome
non-editablecontentinReceiverProject.
Actualtestresultscanbesentforcorrespondinginheritedcontrolstoshowpass/fail.Detailsnot
sent.TestResults
Test
Riskswillbeshown,butnoteditable.Riskoutcome/indicatorwillbevisible(Accepted,
Rejected,POAM)
NoPOAMdetailswillnotbeshared.ReceiverprojectsshouldonlycontainlocalPOAMs
NoArtifactsorothersupportingdocumentationwillbeshared.
Provider Projects are planned for these AWS Services
Amazon EC2
Amazon VPC*
Auto Scaling IAM Amazon
S3Amazon EBS
AWS KMS
AWSCloudFormation
AmazonSNS
AmazonSQS
AmazonDynamoDB
Elastic Load Balancing*
AWSCloudTrail
AmazonRDS
AWS Direct Connect
AmazonSWF
Amazon Kinesis
Amazon Glacier
AWSConfig
AWS Trusted Advisor
Amazon CloudWatch
Amazon EMR
AWS Snowball*
Amazon ElastiCache
Amazon Redshift*
But that’s not all…Xacta 360 solves other major issues for Agencies and Enterprises, including:
✦Regulation upgrades The process of transitioning from NIST 800-53 rev 4 to NIST 800-53 rev 5 will take agencies a year (on average). With Xacta 360 this can take a little as 2 weeks.
✦Mapping across regulations Test against one regulation and produce documentation against others via our internal mapping capability. (e.g. test against NIST Controls and produce both NIST and HIPAA Audit reports or Body of Evidence Documents.)
✦NIST CSF, RMF, 800-171 and FedRAMP SupportTest and produce documents for NIST CSF, NIST RMF, NIST 800-171 and even FedRamp compliance – all at the same time.