Compliance as Code: Extending compliance automation for process improvement

Supply chain disruptions, intellectual property theft and the rising cost of data breaches are among the top reasons for a drastic increase in global focus on cybersecurity compliance. 

Regulated industries face more stringent requirements, and some organizations now require third-party assessments instead of using internal teams to verify compliance with cybersecurity frameworks. Non-regulated industries can also leverage the same standards in order to reduce their security risk. Compliance automation is increasingly important to manage the growing burden that security teams face.

Why automate compliance in the first place?

Data breaches are expensive. Various reports indicate average costs for a data breach is in the millions, and security teams are already overwhelmed and understaffed. This is a strong call for using automation to help with compliance initiatives.

Due to understaffing and tight labor markets, the most sensible means to advance your compliance initiatives is through the use of automation. Automating compliance is a key component of managing the work and reducing risk. The open source project Compliance as Code offers tools to help with this. Security automation content is available in SCAP, Bash, Ansible and other formats to help with verifying required system configurations and remediating when necessary.

About Compliance as Code

The Compliance as Code organization on GitHub is a Red Hat originated project that spawned from the collaboration of government agencies and commercial vendors to make Security Content Automation Protocol (SCAP) content more accessible to users. Since its inception in 2011, the project has evolved to include commercial security profiles — such as The Payment Card Data Security Standard (PCI-DSS) and Center for Internet Security (CIS), and to accommodate modern automation tooling.

Today, the Compliance as Code project provides general-purpose security content and building tools that commercial vendors can quickly develop and collaborate on. We have used these capabilities to deliver customer value through automated compliance solutions. However, compliance reporting can pose a challenge due to the nature of the reports and process. Ensuring accurate results in a spreadsheet takes time and effort and often duplicates work. Automated report generation can improve the efficiency of this job and get reproducible results into the hands of customers and contributors with less delay.

New approach to compliance reporting

Organizations, especially those in regulated industries, must often attain an Authority to Operate (ATO) to install and use software in their environments. Part of this process is to evaluate the software against a Security Requirements Guide (SRG), which is a set of technical controls such as those found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

This evaluation is done to determine whether or not the software meets, does not meet, or can be configured to meet each control, or whether or not the control applies to the particular software. Depending on the determined status, other text-based information may be required. 

The evaluators may need to provide manual instructions or code to explain how to verify status. To configure the software to meet a particular control, they may also need to provide the code necessary to reach that configuration. The product of this exercise is a Security Technical Implementation Guide (STIG): a configuration standard consisting of cybersecurity requirements for a specific product.

The development of STIGs, a laborious process, is made more challenging when spreadsheets are involved. The US Defense Information Systems Agency (DISA) provides organizations with spreadsheets containing the security requirements for particular software and all the fields that may or may not need to be completed based on the status of each control, and there can be 100+ controls. Specific challenges an organization could face while working toward completion of that spreadsheet include:

• Keeping track of who is doing/has done what

• What fields need to be completed based on the determined status of each control

• Ensuring correct formatting of content

• Quality assurance

Red Hat is improving and streamlining Security Requirements Guide (SRG) processing to get Security Technical Implementation Guides (STIGs) to customers faster and more efficiently by automating the STIG generation and verification process. 

The Compliance as Code codebase has been enhanced to produce STIG content based on previously vetted checks. The STIG content delivered now inherits the test process that is already done on Compliance as Code content and reduces any errors with automated comma-separated values (CSV) file generation.

The process has started by streamlining SRG processing, but Red Hat does not intend to stop there. Many of the same problems are faced in different groups. To implement holistic solutions, we intend to incorporate frameworks that apply to customers around the globe and that spread across industries. Compliance as Code is a home for collaboration and iteration upon existing solutions to better serve customers and the community.

Learn more

We have introduced you to Compliance as Code and how Red Hat is helping to make automated compliance reporting accessible to everyone. If you would like to learn more, visit the Compliance as Code content repository and learn more about compliance management here.