Page 127 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 127

Using the signature, scanning, remediation, and compliance reports are accomplished in about a minute.
            Because STIGs are updated every 90 days, the software also simplifies updating systems in production
            as well.

            The product has already been licensed by most of the largest defense contractors, as well as agencies
            within the DoD and DHS.

            “You basically have to mold these controls, and there are hundreds of them, around your application
            stack,” says Hajost.  “Essentially you have to figure out what will ‘break’ the application and correct the
            control – and software can automate that process.”

            Hajost says the DoD will not even authorize the issuance of an authority to operate (ATO), for example,
            of systems with an unmitigated CAT 1 vulnerability except under extreme and rare circumstances.  This
            can mean sending a project back into development to address the issue.
            “Now a ‘fix’ that would have cost $500 in the initial development can cost the government many thousands
            of dollars,” says Hajost, adding that is the primary reason to address STIG hardening as early in the
            DevOps process as possible, even before accreditation.  “We estimate CAT 1's cost the government and
            the DoD thousands of dollars, per application, per year to maintain.”

            As for CAT 2 and CAT 3 controls, they must also be hardened, or – if there is a reason the risk might not
            apply – waiver requests must be submitted for review and acceptance by accrediting authorities.
            “We have seen examples where developers have even said, ‘we're just going to waiver all the CAT 3's
            because we don’t have the time or money to detect and remediate them,’” explains Hajost.

            However,  with  the  speed  of  automated  identification  and  remediation,  more  time  can  be  shaved  off
            timelines by keeping waiver requests to a minimum.

            “If you can use software to address all the CAT 2 and CAT 3 controls automatically in a very short period
            of time, you can reduce the number of waivers to the absolute minimum required.  This saves on costs,
            reduces the amount of documentation and ultimately speeds certification.”

            While  many  in  government  accept  long  delays  as  a  fact  of  life,  shaving  months  from  the  RMF
            accreditation process ultimately speeds the implementation of weaponry, communication and other systems.
            With this in mind, defense contractors and other technology providers should consider hardening systems in the
            accreditation phase and, when possible, even during initial development.






















                                 127
   122   123   124   125   126   127   128   129   130   131   132