Holding confidential records of over 20 million people, this large U.S. Federal Government agency must comply to a number of privacy, cyber security, and compliance mandates. One of the most important regulations is the Federal Information Security Act (FISMA) – a law stating that each agency must demonstrate that all the IT systems meet cyber policy and security standards. Compliance is assessed via an Assessment and Authorization (A&A) process, after which authority to operate (ATO) is achieved.
Before becoming a customer of RiskVision – now a Resolver company – the agency used a home-grown tool for compliance reporting and a commercial tool for cyber security posture monitoring. Due to a rapidly growing number of assets and increasing complexity of the environment, the agency struggled with systems scalability, operational efficiency and data accuracy, eventually leading to a failure to comply with the FISMA requirements.
The operational efficiency issues stemmed specifically from the inefficiency of their A&A processes. According to FISMA requirements, every online system must maintain an Authority to Operate (ATO) and FISMA system owners must renew their ATOs for every major system change. What this meant for the agency was a manual process to continuously gather and process millions of check results generated by third-party security monitoring tools.
While managing the masses of data produced in the A&A process became a challenge, the main problem with the agency’s approach was understanding the real meaning of the collected data and correlating it to the organization’s compliance posture. The lack of closed-loop, automated remediation essentially made most of the data unusable because by the time the data was processed and analyzed, it was no longer actionable. All time and money spent collecting it was wasted. As a result, completing each ATO was an extremely labor- and time-intensive process, affecting the agency’s ability to meet their audit deadlines.
The agency was also challenged in accurately reporting the data with its existing tools, to the point where it failed to achieve the data accuracy standards expected by auditors.
After extensive technology evaluations, the agency selected Resolver’s IT Risk & Compliance platform to streamline and automate the process of ensuring continuous compliance with all applicable federal regulations and to improve reporting. The Resolver platform transforms the assessment from a once-a-year event to a continuous process that involves stakeholders as needed, assesses the effectiveness of compensating controls according to risks, minimizes the chances of human error, and eliminates redundancies and frustration.
The agency uses Resolver’s control mapping functionality to cross-verify controls between multiple frameworks, control sets and reporting such as FISMA and NIST SP 800-53. The solution efficiently addresses similar regulatory requirements across the variety of standards and allows organizations to respond to each of the controls only once, and to reuse the response where applicable.
The system is easy to use and is flexible enough to address the needs of hundreds of task owners and stakeholders, the growing size and complexity of the environment, and the ever-changing landscape of regulations and frameworks. It provides real-time detection of compliance.
After deploying Resolver’s software, the agency saw significant cost and time savings as quickly as 6 months in. Rather than collecting data generated by over a million data collection points, the system owners now gather and store only highly relevant information and can attend to high-risk issues in a timely manner.
The agency can also now achieve continuous compliance. The department’s personnel no longer need to manually compile audit paperwork when preparing for audit events. The RiskVision platform produces a detailed paper trail of mitigation history. Reports can be easily generated on demand for any stakeholder group, with the level of detail that meets or exceeds all FISMA audit requirements.
Lastly, the RiskVision platform fully addressed all scalability concerns that caused so many problems in the past. The agency manages over a million network assets with this platform and is able to continuously evaluate configuration and vulnerability data to meet FISMA, NIST SP 800-53 and internal reporting requirements.