Automating Compliance: Architecting for FedRAMP HIGH

and NIST Workloads

Steve Horvath, VP Strategy & Vision

For the last 20 years, we’ve focused on…

Cyber Security Secure Mobility Identity Management✦Conduct assessments for and defend the

most attacked networks in the world

✦Launched the first commercial web-based application to automate risk management and security compliance; today, the dominant provider to the U.S. government

✦Xacta solution is the database of record for the U.S Intelligence Community

✦Provided the largest deployment of enterprise wireless LANs to the U.S. Department of Defense

✦Designed, installed and deployed secure mobility solutions for U.S. Air Force, Air Guard, Army, Army Guard, and DISA

✦Chosen by DISA to design, implement and sustain an integrated enterprise campus Wi-Fi, guest access, and mobile device management capability

✦Designed specialized deployable secure mobility solutions for U.S. Air Force and Army requirements

✦Integrator of record for the largest identity management application in the U.S. federal government

✦Assure the identity of more than 10 million personnel in U.S. armed forces and related personnel worldwide

✦Authorized by the FBI to provide real-time identity background checks

✦Identity vetting application deployed at over 60 airports and airlines across the U.S.

Select Telos Customers

Our Solution – Orchestration & Automation of Risk Management

• In 2001, Xacta was purpose built to streamline Risk Management and Compliance processes in 2001.

• In 2005, we created our continuous monitoring product to provide ongoing validation of an Enterprise or program’s risk posture.

• In 2012, we bolstered our ability to automatically generate Body of Evidence and Audit Report documentation with our Advanced Inheritance Model and System of Systems.

• In 2017, we brought the same ongoing validation of risk management functionality to AWS infrastructure by adding AWS API calls directly from Xacta 360.

• This year, we’re working with AWS Compliance to make provider projects available for popular AWS Services.

Xacta Product Suite

How can we reduce the number of controls?

• NIST SP 800-53 Rev 4 total number of controls & enhancements: 965

• The standard NIST baselines before tailoring or overlays:

High - 357 Applicable Controls

Moderate - 277 Applicable Controls

Low - 140 Applicable Controls

Provider projects as a force multiplier (an example)

You can reduce the number of necessary IA controls by:1. Attempting to tailor some out (negotiate with

risk/security organization)2. Inheriting Common Controls and Shared Controls

Common Controls: The enterprise approves a group or individual to be responsible for a control and allows it to be provided to others

Hybrid or Shared Controls: The enterprise allows a control to be provided, but a portion of the control still must be met by the consumer or system

Provider Project:Owner flags data that

is inheritable.

Receiver Projects inherit appropriate content from Provider Projects

Receiver Project:Owner chooses to

inherit data.

Provider Projects: Overview

• AWS-owned projects that have been pre-vetted for compliance with the relevant controls

• A reference library for use in C2S, SC2S, and FedRAMP environments

• Allow AWS customers to dynamically link receiver projects to appropriate AWS Services

Receiver projects inherit provider project profiles to reduce the manual effort of the A&A process

Inheritable:• Control Implementation• Test Results

Risk Results• POAM indicators

IAControl

ProviderProject

RiskElement

POAMElements

ArtifactsandDocuments

Risk

POAM

Artifacts

PrivateImplementation

PublicImplementation

IAControl

ReceiverProject

TestResults(InheritedStatus+Local)

RiskElement(InheritedStatus+Local)

POAMElements(LocalOnly)

ArtifactsandDocuments(LocalOnly)

Test

Risk

POAM

Artifacts

LocalControlImplementation

Inherited/SharedImplementationOnlypublicimplementationissharedandwillbecome

non-editablecontentinReceiverProject.

Actualtestresultscanbesentforcorrespondinginheritedcontrolstoshowpass/fail.Detailsnot

sent.TestResults

Test

Riskswillbeshown,butnoteditable.Riskoutcome/indicatorwillbevisible(Accepted,

Rejected,POAM)

NoPOAMdetailswillnotbeshared.ReceiverprojectsshouldonlycontainlocalPOAMs

NoArtifactsorothersupportingdocumentationwillbeshared.

Provider Projects are planned for these AWS Services

Amazon EC2

Amazon VPC*

Auto Scaling IAM Amazon

S3Amazon EBS

AWS KMS

AWSCloudFormation

AmazonSNS

AmazonSQS

AmazonDynamoDB

Elastic Load Balancing*

AWSCloudTrail

AmazonRDS

AWS Direct Connect

AmazonSWF

Amazon Kinesis

Amazon Glacier

AWSConfig

AWS Trusted Advisor

Amazon CloudWatch

Amazon EMR

AWS Snowball*

Amazon ElastiCache

Amazon Redshift*

But that’s not all…Xacta 360 solves other major issues for Agencies and Enterprises, including:

✦Regulation upgrades The process of transitioning from NIST 800-53 rev 4 to NIST 800-53 rev 5 will take agencies a year (on average). With Xacta 360 this can take a little as 2 weeks.

✦Mapping across regulations Test against one regulation and produce documentation against others via our internal mapping capability. (e.g. test against NIST Controls and produce both NIST and HIPAA Audit reports or Body of Evidence Documents.)

✦NIST CSF, RMF, 800-171 and FedRAMP SupportTest and produce documents for NIST CSF, NIST RMF, NIST 800-171 and even FedRamp compliance – all at the same time.

12

QuestionsSteve Horvath

sph@telos.com

Contact Information

Visit Telos.com