Compliance Toolbox
AGENDA Compliance Toolbox Bridging the Gap Documentation STIGs Compliant versus non compliant views
toolbox COMPLIANCE TOOLS: RISK MANAGEMENT FRAMEWORK (RMF) SECURITY TECHNICAL IMPLIMENTATION GUIDES (STIGs) ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS) SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) ENTERPRISE MISSION ASSURANCE SUPPORT SERVICES (eMASS)
Stigs https://iase.disa.mil/stigs/pages/a-z.aspx 436 possible STIGs Varying amount of Vulnerability IDs. STIG VIEWER https://iase.disa.mil/stigs/pages/stig-viewing-guidance.aspx
I-ASSURE http://www.i-assure.com RMF STIG 1. Categorize 1. Discover 2. Select 2. Assess 3. Implement 3. Analyze 4. Assess 4. Remediate 5. Authorize 5. Mitigate 6. Monitor
5 STEPS OF STIG COMPLIANCE BRIDGING THE GAP DISA STIG 1. Discover: We will review hardware and software lists, diagrams and perform interviews to determine the baseline STIGs applicable to the environment. 2. Assess: We will use DISA-provided automated tools, i.e. ACAS and SCAP, locally developed tools and manual reviews to determine and document the current compliance state. 3. Analyze: We will perform a gap analysis with our customer to identify quick fixes, potential problems and provide a go-forward strategy for achieving compliance. 5 STEPS OF STIG COMPLIANCE
5 STEPS OF STIG COMPLIANCE BRIDGING THE GAP DISA STIG 5 STEPS OF STIG COMPLIANCE 4. Remediate: We will utilize the strategy defined in the Analyze Phase to execute fixes. Regression and functional testing will occur to ensure that security changes do not negatively impact operations. diagrams and perform interviews to determine the baseline STIGs applicable to the environment. All results will be documented. 5. Mitigate: For items that could not be remediated due to operational constraints, a Plan of Actions and Milestones (POA&M) will be created to identify the vulnerability and the mitigations associated with lowering the raw risk.
CRACKING THE CODE DOCUMENTATION Not Applicable Automatically Compliant
Cracking the Code CCI: Control Correlation Identifier The purpose of CCIs is to allow a high level statement made in a policy document (i.e., a security control) to be “decomposed” and explicitly associated with the low-level security settings that must be assessed to determine compliance with the objectives of that specific statement.
Decoding the STIGs Compliant CAT I CAT II CAT III
Decoding the stigs non compliant Note: There are no results when searching all 5 STIGs for CCI 001485.
Bringing it together the bottom line Expectations: Every 1-3 years minimum It’s going to cost money Cost effective and sustainable low cost Non Layered Approach: >20% Initial Cost of Accreditation >45% to Sustain accreditation over time >70% higher to reaccredit Layered Approach: <50% of the initial cost to reaccredit Cost effective and sustainable lower cost Long term effective for cost and compliance
COMPLIANCE TOOLBOX Questions?