Red Hat blog
Supply chain disruptions, intellectual property theft and the rising cost of data breaches are among the top reasons for a drastic increase in global focus on cybersecurity compliance.
Regulated industries face more stringent requirements, and some organizations now require third-party assessments instead of using internal teams to verify compliance with cybersecurity frameworks. Non-regulated industries can also leverage the same standards in order to reduce their security risk. Compliance automation is increasingly important to manage the growing burden that security teams face.
Why automate compliance in the first place?
Data breaches are expensive. Various reports indicate average costs for a data breach is in the millions, and security teams are already overwhelmed and understaffed. This is a strong call for using automation to help with compliance initiatives.
Due to understaffing and tight labor markets, the most sensible means to advance your compliance initiatives is through the use of automation. Automating compliance is a key component of managing the work and reducing risk. The open source project Compliance as Code offers tools to help with this. Security automation content is available in SCAP, Bash, Ansible and other formats to help with verifying required system configurations and remediating when necessary.
About Compliance as Code
The Compliance as Code organization on GitHub is a Red Hat originated project that spawned from the collaboration of government agencies and commercial vendors to make Security Content Automation Protocol (SCAP) content more accessible to users. Since its inception in 2011, the project has evolved to include commercial security profiles — such as The Payment Card Data Security Standard (PCI-DSS) and Center for Internet Security (CIS), and to accommodate modern automation tooling.
Today, the Compliance as Code project provides general-purpose security content and building tools that commercial vendors can quickly develop and collaborate on. We have used these capabilities to deliver customer value through automated compliance solutions. However, compliance reporting can pose a challenge due to the nature of the reports and process. Ensuring accurate results in a spreadsheet takes time and effort and often duplicates work. Automated report generation can improve the efficiency of this job and get reproducible results into the hands of customers and contributors with less delay.
New approach to compliance reporting
Organizations, especially those in regulated industries, must often attain an Authority to Operate (ATO) to install and use software in their environments. Part of this process is to evaluate the software against a Security Requirements Guide (SRG), which is a set of technical controls such as those found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.
This evaluation is done to determine whether or not the software meets, does not meet, or can be configured to meet each control, or whether or not the control applies to the particular software. Depending on the determined status, other text-based information may be required.
The evaluators may need to provide manual instructions or code to explain how to verify status. To configure the software to meet a particular control, they may also need to provide the code necessary to reach that configuration. The product of this exercise is a Security Technical Implementation Guide (STIG): a configuration standard consisting of cybersecurity requirements for a specific product.
The development of STIGs, a laborious process, is made more challenging when spreadsheets are involved. The US Defense Information Systems Agency (DISA) provides organizations with spreadsheets containing the security requirements for particular software and all the fields that may or may not need to be completed based on the status of each control, and there can be 100+ controls. Specific challenges an organization could face while working toward completion of that spreadsheet include:
Keeping track of who is doing/has done what
What fields need to be completed based on the determined status of each control
Ensuring correct formatting of content
Red Hat is improving and streamlining Security Requirements Guide (SRG) processing to get Security Technical Implementation Guides (STIGs) to customers faster and more efficiently by automating the STIG generation and verification process.
The Compliance as Code codebase has been enhanced to produce STIG content based on previously vetted checks. The STIG content delivered now inherits the test process that is already done on Compliance as Code content and reduces any errors with automated comma-separated values (CSV) file generation.
The process has started by streamlining SRG processing, but Red Hat does not intend to stop there. Many of the same problems are faced in different groups. To implement holistic solutions, we intend to incorporate frameworks that apply to customers around the globe and that spread across industries. Compliance as Code is a home for collaboration and iteration upon existing solutions to better serve customers and the community.
We have introduced you to Compliance as Code and how Red Hat is helping to make automated compliance reporting accessible to everyone. If you would like to learn more, visit the Compliance as Code content repository and learn more about compliance management here.
About the authors
Andrea Hall is a problem solver and security compliance enthusiast, working across the organization to create efficiencies. Andrea joined Red Hat as a Solution Architect in 2019 and moved to Product Security in 2022. Her prior experience includes social work, entrepreneurship, digital forensics, and cyber intelligence analysis. She currently resides in Maryland with her husband and two teenage children, and is current pursuing a Graduate Certificate in Strategic Management.
Jennifer Power joined Red Hat in 2021 as a Solution Architect for the North America Public Sector. She brings over eight years of experience working in IT services for the public sector and has a Bachelor’s degree in Computer Science from Old Dominion University. Jennifer is passionate about learning new technologies and is focused on contributing to the open source community to benefit the public sector and regulated industries.