Automate the ATO Process and Repair Configuration Errors as they Occur

In response to a host of cyberattacks on critical commercial and government systems, the Biden Administration signed an executive order mandating that the federal government improve its cybersecurity defenses. Broken into seven sections, it is a clear directive to strengthen cybersecurity requirements and increase the use of secure cloud services. While NIST and FedRAMP compliance requirements are expected to expand in response, agencies needn’t wait. Whether you are part of a federal, state, or local agency, you can begin automating cybersecurity compliance now.  
  
Traditionally, agencies have struggled with siloed security that lacks real-time visibility. When combined with an IT environment in a constant state of change, it can be challenging to maintain continuous compliance to security controls and configurations, delaying the authority to operate (ATO) that comes from the security authorization process.  

Cloud-based continuous compliance 

According to Gartner, “up to 95% of cloud breaches occur due to human errors such as configuration mistakes.” (For more on this, see our recent article, Avoiding Cloud Configuration Conundrums.) Clearly, despite best efforts, misconfiguration happens.  To overcome this challenge, we offer clients the NTT DATA Trust Acceleration Platform (NTAP). It offers real-time automated security configuration, compliance to controls like NIST 800-53 and remediation to help ensure that configurations remain in their desired, compliant state. 

Shared responsibility model 

Automated remediation 

• Inventories enterprise software and hardware, identifying and managing the correct configuration for each through a “fingerprint” approach. In addition to managing server configurations, IoT devices and employee laptops can be managed for configuration compliance.  
  
  
• Manages configuration compliance using a rules-based management approach across the enterprise information systems landscape, including sub-information systems. Always on monitoring (in agent or agent-less mode) checks against baseline and customized security controls to ensure continuous compliance. These automated checks can ensure compliance to custom security controls, control regimes like FIPS and HIPAA and has built in support for NIST 800-53 and NIST 800-171.  
   
  
• Remediates non-compliant configurations automatically when found. Failed controls can also be reported for manual remediation. In this way, NTAP helps agencies avoid falling victim to breaches that take advantage of system misconfigurations.  
   
  For example, because it can be complicated to set up a properly configured AWS S3 bucket, users often make errors when configuring the service.  The Department of Defense is just one of many organizations that have left their repositories open to the public due to misconfiguration errors. Configuration errors like these can be avoided with NTAP as it identifies the proper configurations for systems like these and helps manage configuration compliance to ensure system security. 
  
  
• Reports a real-time view of system compliance via customizable dashboards. Users can also create comprehensive reports available across roles (e.g. CIO, CISO, ISSO, Auditor, ISM, Sys Admin) showing compliance status. Reporting also supports comprehensive plan of action and milestone (POA&M) management. 
  
  
• Drives real-time ATOs with a Digital System Security Plan (SSP).  
  
   

Gain system confidence  

Knowing that all your systems are in a known good state is invaluable. For example, at NTT DATA we built a cold chain tracking solution. It helps keep the COVID-19 vaccine at a required temperature of minus 18 to minus 70 degrees Celsius as it travels. The solution uses an IoT device equipped with a sensor tag that monitors the temperature of vaccine batches as they travel. NTT DATA created a custom configuration control for the IoT sensors, continuously tracking the sensor’s reported temperature, benchmarking it against the rule for required temperatures. Should the rule threshold be triggered, the system remediates it , ensuring the vaccine remains at the desired temperature. Historically, cold chain reporting was conducted upon arrival – when a shipment had potentially already spoiled. This solution helps prevents spoilage, ensuring more vaccine arrives safely to its destination. 

Move to secure cloud 

The Biden Administration’s executive order requires federal agencies to accelerate their movement to the cloud to take advantage of secure cloud services. And, indeed state and local entities are embracing federal recommendations like this as a best practice to manage risk, moving more and more of their assets to the cloud.   

Taking it one step further, leading agencies are automating the ATO process, achieving continuous configuration and security control compliance. In the process, they free human resources to focus on more strategic risk mitigation activities. While this level of automation can be achieved on-premises, it is most well-suited for the advanced automation enabled by the cloud – further supporting the goals of the executive order to increase the use of secure cloud services. 

Pairing the extreme automation capabilities and security functionality of the cloud with ongoing configuration compliance allows you to build out an automated ATO process that keeps you in continuous control. Interested in learning more? Learn more here about safeguarding agency systems.