The Joy of Open, Agile Government Security Compliance

fen

The goal of compliance frameworks like HIPPA, SOX and FISMA is to ensure that basic security controls are met. The Federal government and an increasing number of state and local governments look to NIST’s Risk Management Framework (RMF) as the baseline for compliance management.

Because RMF is rooted in static, waterfall methods and most of compliance is obtained through voluminous Word docs and screenshots, a system’s compliance officer may spend more of their time writing and uploading documentation than ensuring actual security in an agile and ever-changing threat landscape.

Learn how you can turn a cumbersome, soul-sucking security process into one filled with joy!

First, we’ll inherit common controls as made available by (e.g.) FedRAMP systems we build on. Then we’ll create a library of publicly shareable and easily reusable system element components. DevOps? We’ll integrate component updates and management into the CI pipeline.

Finally, as documentation (really) sucks the soul, we’ll automate the creation of properly formatted MS Word docs - required by the cultural status quo - from the updated git and S3 artifact repositories. We’ll also touch on how free/libre data formats and protocols are necessary to support viable continuous monitoring as application boundaries vary wildly and threat landscapes change too rapidly to rely on black-box proprietary agents to fully monitor.

By bringing agile, open practices to compliance, security can be enjoyable for everyone.

Some links from this talk:

https://civicactions.com
https://github.com/CivicActions
https://github.com/opencontrol
https://github.com/usnistgov/OSCAL
https://github.com/GovReady/hyperGRC
https://github.com/uscensusbureau/fismatic
https://github.com/ComplianceAsCode/drupal
https://nvd.nist.gov/800-53/Rev4
https://www.agilegovleaders.org

https://www.drupalgovcon.org/2019/program/sessions/joy-open-agile-government-security-compliance