For decades, the federal government has been hamstrung in its efforts to adopt new IT systems by the glacial pace of RMF accredi-tation and the manual processes required to secure any system connected to the outside world from security risks and inherent vulner-abilities.
Streamlining this process, however, could dramatically reshape government operations and allow for shorter-duration projects that advance the cause of government IT modern-ization much more quickly – including moves to the Cloud.
With government IT modernization initia-tives stimulating new legislation and increas-ing funding opportunities, it is even more crit-ical to address a significant and continuous drag on the system: the painstaking process of securing the system to the specifications of the Defense Information Systems Agency, a support agency for the Department of Defense (DoD).
As part of this process, systems must be hardened to standard Security Technical Im-plementation Guide (STIG) benchmarks. The STIGs provide configuration specifications for operating systems, database management systems, web servers and weapon system used by government agencies.
The problem is STIGs are long and detailed. Often containing hundreds of pages, adher-ing to or upgrading software or systems to a particular STIG has been a highly specialized manual process that can take many months to accomplish. In addition to the significant time involved, it requires well-trained engi-neers that are skilled in the technical system, operating system policies and security guid-ance.
This task adds to implementation costs and can add years before an Authorization to Op-erate (ATO) is issued. The task is so tedious and painstaking, and there is such a shortage of STIG experts, that it often prevents agencies from pursuing modernization projects.
“With modernization, the government is spending a lot of money upfront, but they don’t get any benefit until someone can ac-tually use the new technology in production,” says Brian Hajost, president of SteelCloud and an expert in automated STIG compliance. “One of the things that must get done is the system must be ‘hardened’ and it has to be ac-credited through the RMF process before an ATO is possible.”
IT modernization projects for government agencies comes in many forms. Information may be consolidated into a single, shared data center or new applications moved to a differ-ent infrastructure. Increasingly, due to the government’s Cloud Smart program as well as security guidelines outlined by FedRAMP, modernization projects involve moving to the commercial cloud. The advantages for government are moving to a more agile and accessible system that can be accessed anywhere and does not require complex on-prem-ise networks.
According to Hajost, however, the difference between deploying an application in the Cloud and a traditional data center is insignificant, at least as it relates to security hardening.
“Moving to the cloud is supposed to be rel-atively quick and easy, but addressing system security in the cloud is no faster or easier than it is for an on-premise environment,” explains Hajost. “In our world, it isn’t much different than if an application moved from one data center to another, or the application is moved from a data center to the Cloud.”
Hajost says that even considering the slow pace of it, most still underestimate the ex-pertise and time required, particularly when moving to the Cloud. A shortage of trained personnel impacts the ability to modernize, a shortage that is even more acute in classified environments.
“In a classified environment you need to hire someone with five years of information assur-ance (IA) that has a TS/SCI security clear-ance,” says Hajost. “If you put out an ad, you wouldn’t get one person applying for that job in six months. There just aren’t many around.”
Instead, settle for staff that are multi-task-ing from other disciplines and specialties that have little to no STIG experience.
“Even with competent, trained people, [manually handling the STIGs]is a slow pro-cess,” says Hajost. “If you use people that know nothing about the STIGs, it goes really, really slowly.”
Fortunately, new automated software tools are eliminating months from the RMF accred-itation process by virtually eliminating the time of the initial hardening effort while also providing the required documentation for RMF accreditation.
“With a software tool that can automate the process, you can take someone that is com-petent in some other aspect of IT and re-skill them to handle the STIGs in a few weeks and shave months off your project time,” explains Hajost.
Fortunately, there are new STIG automa-tions tools that can quickly identify any conflicts that an application will run into in a hardened environment.
Products such as ConfigOS from SteelCloud identify and harden all controls considered a potential security risk. As outlined in the STIGs, risks are categorized into three levels (1/2/3) with Category 1 being the most severe and having the highest priority.
The software then produces a domain-in-dependent comprehensive policy “signature” including user-defined documentation and STIG policy waivers. In this step alone, weeks, or months of manual work can be completed in an hour.
The signature and documentation are in-cluded in a secure, encrypted signature that is used to scan endpoints (laptops, desktops, physical/cloud servers) without being in-stalled on any of them. The time it takes to remediate hundreds of STIG controls on each endpoint is typically under 90 seconds and ConfigOS executes multiple remediations at a time.
The encrypted signature can then be trans-ported across large and small networks, classified environments, labs, disconnected networks, and tactical environments with connected and disconnected endpoints. No other changes are required to the network, security and no software is installed on any endpoints.
To date, ConfigOS has been licensed by just about every branch of the Department of Defense, as well as parts of DHS, HHS, and Depart-ment of Energy. The product is also used by large defense contractors and in programs for all branches of the mili-tary.
In addition to resolving is-sues proactively at much less cost and time, the software also provides the required documentation for RMF ac-creditation. This can elim-inate months from what is typically a 6 to 12-month process to further speed time to production.
The STIGs are updated and evolve as well.
With a new update every 90 days, automated STIG remediation software accommodates for changes in the requirements. Two business days after DISA publishes a new version of the STIGs, new production signatures are tested and made available to customers.
“New security updates are introduced peri-odically to account for newly discovered vul-nerabilities as well as changes and updates to by the vendors supplying the major operating environment components,” explains Hajost.
According to Hajost, removing this signifi-cant impediment to project completion has a greater benefit than just allowing for modern-ization.
“The greater benefit is the capacity to modernize is greatly expanded,” explains Hajost. “Modernization shouldn’t be once every 10 years – it should be a contin-ual process. So, if automat-ing security compliance al-lows you to move faster, you might be able to move more than a few systems to the cloud in the next year, maybe it can be seven or eight,” says Hajost.
“Then once you can mod-ernize more, then you get to reap the benefits, which in-cludes greater agility, more consolidated in-formation, better access to information – with better security overall,” adds Hajost.