As this fiscal year wraps up, many agencies are planning their response to compliance reporting requirements. Meeting these requirements—particularly in advance of an audit—can be incredibly time-consuming. While the Defense Department has made managing risk easier through Security Technical Implementation Guides (STIGs), it’s still dependent upon IT staff to help ensure their systems are continuously secure and compliant.
Let’s consider how government IT professionals can use automation to take the time and guesswork out of compliance.
The Problem With STIGs
A STIG is a set of security hardening standards and maintenance processes for networks, systems, and platforms all DoD IT assets must comply with. There are hundreds of possible STIGs—each with thousands of rules that must be followed—and the number only continues to rise as new systems, versions, and updates come online.
Monitoring server and network configurations against these compliance policies can be cumbersome. Even with the best change control processes, it requires an army of people to manage and track all the configuration changes happening within the IT infrastructure. If a system has a particular STIG applied to it and happens to deviate from that control, how would system and network administrators know?
This is particularly problematic because these changes happen all the time. A system or device can deviate from a STIG’s expected baseline configuration for any number of reasons—such as a system update or when a patch is applied to a vulnerability. Sometimes the deviation is deliberate. For example, an application may not run properly without introducing permission or authorization settings that deviate from the STIG. In each of these instances, administrators must create an exception to the STIG. They must also explain and document the exception in preparation for an audit—a painstaking process.
How Automation Can Help Ease Compliance
Automation is critical to lessening the compliance burden on IT pros.
Applications, systems, and devices are constantly in flux, and staying on top of configuration drift is challenging. However, with automation, administrators don’t have to monitor each system in a cache of thousands of IT assets for potential configuration changes. Instead, the moment a configuration starts to drift from baseline security tools, monitoring tools detect the change and proactively notify administrators in near-real time. IT teams also have visibility into who has changed the configurations, what changed, and the related performance impact.
Automation can also remediate the tedious task of compliance reporting. Administrators can quickly produce FISMA and STIG reports from their configuration templates and easily generate audit documentation and reports—work that would otherwise take weeks to complete.
Mitigating security risks is one of the most important tasks IT and network administrators undertake. It’s also one of the most complex, time-consuming, and costly—particularly as it relates to compliance. This is where automation can really shine—helping the entire federal IT team achieve compliance and deliver compliance reporting while lightening their load.
Read the full GCN article here.