Information Security

How a U.S. Government Agency achieves continuous compliance with FISMA requirements

0 Million
Confidential Records
0 Million
Control Checks
0 Million
Network Assets

The operational challenges that caused compliance failure

Before becoming a customer of RiskVision – now a Resolver company – the agency used a home-grown tool for compliance reporting and a commercial tool for cyber security posture monitoring. Due to a rapidly growing number of assets and increasing complexity of the environment, the agency struggled with systems scalability, operational efficiency and data accuracy, eventually leading to a failure to comply with the FISMA requirements.

The operational efficiency issues stemmed specifically from the inefficiency of their A&A processes. According to FISMA requirements, every online system must maintain an Authority to Operate (ATO) and FISMA system owners must renew their ATOs for every major system change. What this meant for the agency was a manual process to continuously gather and process millions of check results generated by third-party security monitoring tools.

While managing the masses of data produced in the A&A process became a challenge, the main problem with the agency’s approach was understanding the real meaning of the collected data and correlating it to the organization’s compliance posture. The lack of closed-loop, automated remediation essentially made most of the data unusable because by the time the data was processed and analyzed, it was no longer actionable. All time and money spent collecting it was wasted. As a result, completing each ATO was an extremely labor- and time-intensive process, affecting the agency’s ability to meet their audit deadlines.

The agency was also challenged in accurately reporting the data with its existing tools, to the point where it failed to achieve the data accuracy standards expected by auditors.

Deploying one of the largest compliance automation programs in the world

After extensive technology evaluations, the agency selected Resolver’s IT Risk & Compliance platform to streamline and automate the process of ensuring continuous compliance with all applicable federal regulations and to improve reporting. The Resolver platform transforms the assessment from a once-a-year event to a continuous process that involves stakeholders as needed, assesses the effectiveness of compensating controls according to risks, minimizes the chances of human error, and eliminates redundancies and frustration.

The agency uses Resolver’s control mapping functionality to cross-verify controls between multiple frameworks, control sets and reporting such as FISMA and NIST SP 800-53. The solution efficiently addresses similar regulatory requirements across the variety of standards and allows organizations to respond to each of the controls only once, and to reuse the response where applicable.

The system is easy to use and is flexible enough to address the needs of hundreds of task owners and stakeholders, the growing size and complexity of the environment, and the ever-changing landscape of regulations and frameworks. It provides real-time detection of compliance.

Achieving continuous compliance and much more

After deploying Resolver’s software, the agency saw significant cost and time savings as quickly as 6 months in. Rather than collecting data generated by over a million data collection points, the system owners now gather and store only highly relevant information and can attend to high-risk issues in a timely manner.

The agency can also now achieve continuous compliance. The department’s personnel no longer need to manually compile audit paperwork when preparing for audit events. The RiskVision platform produces a detailed paper trail of mitigation history. Reports can be easily generated on demand for any stakeholder group, with the level of detail that meets or exceeds all FISMA audit requirements.

Lastly, the RiskVision platform fully addressed all scalability concerns that caused so many problems in the past. The agency manages over a million network assets with this platform and is able to continuously evaluate configuration and vulnerability data to meet FISMA, NIST SP 800-53 and internal reporting requirements.

Summary of Benefits for the U.S. Federal Government Agency

  • Regained congressional confidence in ability to maintain a compliant and secure information technology infrastructure.
  • Successfully deployed the largest compliance automation program in the world, with 67M control check across 1M+ assets
  • Gained a timelier and accurate picture of compliance and risk posture across multiple government regulatory frameworks
  • Automated manual tasks, such as generation of reports which used to take days to complete.
  • Automated POAM workflows ensured that high-risk control failures get remediated or mitigated in a timely manner

Request a Demo

Fill out this form and a member of our team will contact you shortly