An A-B-C Approach to Security Compliance Challenges
When it comes to enhancing their cybersecurity postures, federal agencies have to wade through an entire alphabet soup of regulatory compliance guidelines. From the RMF (Risk Management Framework) to FISMA (Federal Information Security Management Act) and DISA STIGs (Defense Information Systems Agency Security Technical Implantation Guides), there are a number of requirements that agencies must implement to satisfy the government’s definition of a secure environment.
Ensuring that an agency is in compliance with all of these various standards can be a job in itself. As such, federal IT professionals must incorporate strategies and solutions that make it easier for them to meet their compliance needs.
The best strategy is to attack the challenge on three fronts. First, government IT professionals must proactively and continuously monitor and assess network configurations to ensure that they remain in compliance with government standards. Second, they must be able to easily report on their compliance status at any given time. And they must be able to do all of this while continuing to beef up their networks with rock-solid security and be prepared to quickly remediate potential issues as they arise.
Let’s take a look at a simple A-B-C strategic approach that federal IT professionals can implement to address each of these points.
A-utomate network configurations
One of the things agencies must do to remain in compliance with the RMF, DISA STIGs, and FISMA is monitor and manage their network configuration statuses. However, doing this manually is a non-starter, due to the complex nature of most federal IT networks and the time constraints involved in managing those environments.
Automating network configuration management (NCM) processes can make it much easier to ensure compliance with key government mandates. Device configurations should be backed up and restored automatically, and alerts should be set up to advise administrators whenever an unauthorized change occurs. NCM can also be used to easily make and track wholesale configuration changes across the entire network.
B-e on top of reporting
Indeed, maintaining compliance involves a great deal of tracking and reporting. For example, one of the steps in the RMF focuses on monitoring the security state of the system and continually tracking changes that may impact security controls. Likewise, FISMA calls for extensive documentation and reporting at regular intervals, along with occasional onsite audits. Thus, it is important that agencies have easily consumable and verifiable information at the ready.
Administrators’ NCM process should incorporate industry-standard reporting that documents virtually every phase of network management that could impact an agency’s good standing. These reports should include details on configuration changes, policy compliance, security, and more. They should be easily readable, shareable, and exportable, and include all relevant details to show that an agency remains in compliance with government standards.
C-atch suspicious activity and automate patches
Agency IT administrators should also incorporate log and event management (LEM) to strengthen their security postures. Like a watchdog, LEM is always on alert for suspicious activity, and can alert administrators when a potentially malicious threat is detected. The system can be set to automatically respond to the threat in an appropriate manner, whether that is by blocking an IP address or specific user, or stopping services. Remediation can be instantaneous and performed in real-time, thereby inhibiting potential hazards before they can inflict damage.
Implementing automated patch management is another great way to make sure that network technologies remain available, secure, and up to date. Unpatched software continues to be one of the main security threats to organizations. Agencies must stay on top of their patch management to combat threats and help maintain compliance. The best way to do this is to manage patches from a centralized dashboard that shows potential vulnerabilities and allows fixes to be quickly applied to solutions across the network. It is a simple yet powerful solution that allows agencies to decrease security risks, limit interruptions, and stay within the federal government’s good graces.
Following the guidelines set forth by DISA, NIST (National Institute of Standards and Technology), and other government acronyms can be a tricky and complicated process, but it does not have to be that way. By implementing and adhering to these recommended procedures, government IT professionals can wade through the alphabet soup while staying within these guidelines and upping their security game.
By Joe Kim, Senior Vice President and Global Chief Technology Officer, SolarWinds
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks of) their respective companies. © 2017 SolarWinds Worldwide, LLC. All rights reserved.