Happy Birthday Xacta: Retracing a Robust 20 Year History

Rick Tracy, Hugh Barrett
December 18, 2020 • 5 min read

Despite the challenges this year has brought to many businesses all over the world, we at Telos are taking a moment to pause and celebrate the 20th anniversary of our flagship product, Xacta.

To retrace the steps of Xacta, we have to go back to 1987. The Computer Security Act was established, ushering in the age of information security and triggering a long line of infosec and privacy requirements for the federal government.

One of the requirements that evolved from this legislation was the security risk and compliance process known as Certification and Accreditation, or C&A. We all know it now as Assessment and Authorization (A&A).

During this time, Telos was assisting the U.S. Army with implementing this time-consuming and labor-intensive process, as well as helping them to develop their own C&A standard called AR 380-19.

Over time, we expanded this consulting practice beyond the U.S. Army to help several other federal government organizations satisfy the C&A requirement for their various information systems.

It didn’t take long for us to realize that there were too many systems requiring C&A and not enough people to meet the demand.  Additionally, the manual cost of C&A was high and made it financially difficult for many organizations to comply with the C&A process.  It was clear that something had to change.

By 1998, we concluded that many of the C&A functions could be automated. From the documentation generation (which was substantially heavy at the time) to executing the numerous security controls’ validation procedures, we started thinking about what an automated system would look like. Graphical representations were created as well as prototype code to solicit feedback from the market.  The response was overwhelming, and there was no doubt C&A automation was in demand.

An early graphical representation of the Xacta Web C&A tool.

In August of 2000, we launched the first version of Xacta, and named it Xacta Web C&A.  It was a web-based application designed to automate the most labor-intensive and time-consuming aspects of the C&A process.  The customer demand was immediate.  Within the initial year, we had our first enterprise customer.  There was nothing else like Xacta at that time.

In 2002, when the concept of managing security risk and compliance was still very unique, we demonstrated Xacta Web C&A to a prominent industry analyst who later went on to define what is now known as the governance, risk management and compliance (GRC) industry, and who credits Xacta with being the GRC catalyst.  This meant that Xacta was commercially viable.

During this same time period, we concluded that the requirement to assess security risk and compliance every three years, as defined by the C&A standards at the time, was not adequate. To keep risk at a minimum and reduce the burden of essentially repeating the C&A process over again every three years, it was important to continually assess IT security risk and compliance before re-accreditation.  With this in mind, we began work on new software to automate the continual assessment phase. In 2004, this new capability, now known as continuous monitoring, was launched.  In fact, Telos has a number of patents in the area of security risk and compliance to include continuous monitoring functionality. Today, continuous monitoring is not only a critical element of the federal government A&A process but is considered a best practice commercially.

In the years that followed, we continued to advance our products to meet the various demands of the industry to include the adoption of the cloud. Our early advocacy of the cloud, coupled with our extensive security risk and compliance management automation capabilities, resulted in the CIA requesting our help to manage security risk and compliance for their new cloud environments broadly referred to as C2S (Commercial Cloud Services).  C2S was arguably the shot heard around the world with regard to cloud computing and has served to accelerate cloud adoption globally.  As a result of this retooling, Xacta now supports on-premises and multi cloud-based systems.  This case study, which was authored by the CIA, AWS, and Telos, explains how automation provided by Xacta accelerated cloud authorization and adoption. Xacta’s unique cloud capabilities are now in demand commercially and internationally.

As we move into the future, and with the GRC industry projected to double in value by 2025, Telos is uniquely positioned – with both experience and longevity – to meet the ever increasing demands of security conscious organizations worldwide. In recent years, the growing global interest in cyber risk management frameworks paired with increased cloud adoption has led to significant demand for solutions like Xacta. Today, Xacta serves industries well beyond the federal government, to include SaaS vendors, cloud service providers, Fortune 50 financial services organizations, critical infrastructure organizations, as well as international governments and other highly regulated commercial enterprises.

If you would like to learn more about Xacta, I encourage you to reach out and let us show you why Xacta is the industry leader in cyber risk management and compliance.

Rick Tracy
Senior VP and Chief Security Officer
Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy
Read full bio
Notify of
Inline Feedbacks
View all comments

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.