It’s been my pleasure for several years now to speak at the AWS Public Sector Summit on various subjects related to cyber risk management. This year is no different, although I’ll be “taking the stage” virtually from my desk at home. I hope you’ll join me for this on-demand session during the two-day summit April 15-16. I’ll be discussing certain use cases for the Xacta® cyber risk management solution: Cybersecurity Maturity Model Certification (CMMC), information and communications technology supply chain risk management (ICT-SCRM), and the Federal Risk and Authorization Management Program (FedRAMP). Here are highlights of the talk.
Cybersecurity Maturity Model Certification
CMMC is intended to validate that vendors and contractors are conducting necessary cybersecurity due diligence. Organizations doing business with the U.S. federal government must comply with CMMC at a designated maturity level determined by the type of work, the contract, and the data processed. Organizations that are unable to obtain compliance with the specified maturity level are in danger of losing the ability to bid on contracts.
Xacta helps an organization prepare for CMMC by documenting the current state of their systems and prioritizing deficiencies that can be mitigated prior to the CMMC third party assessment. Leveraging Xacta’s inherent capabilities, organizations can create plans of action and milestones (POAM), assign them to stakeholders, identify funding requirements, and send automated notifications when the prescribed metrics are not achieved.
Preparation is one of the most significant cost mitigations an organization can perform prior to the formal evaluation. Xacta enables the organization to build the CMMC body of evidence (BoE) and automate the generation of audits and documents necessary to prove compliance. Everything from business processes to cloud resource data is captured through the CMMC workflow. And, with Xacta, CMMC reports are continuously updated to show how an organization is staying ahead of vendor risk.
ICT Supply Chain Risk Management
Although ICT-SCRM has been foot-stomped by the information security and cybersecurity community for two decades, the SolarWinds compromise, followed quickly by the zero-day exploits against Exchange Servers, provided a necessary call to action, demonstrating that the software supply chain can be the soft underbelly of many organizations.
Telos has incorporated NIST guidance for ICT-SCRM and the Cybersecurity and Infrastructure Security Agency’s (CISA) SCRM essentials into a set of Xacta SCRM templates that can be used to evaluate an organization and its vendors and suppliers.
Supply Chain Risk Management is no small undertaking. It is complex and requires the collection and management of massive amounts of data. Xacta for SCRM is a simplified tool that walks organizations through each step of the process, explaining the tasks that need to be conducted and the outcomes that help assure against disruptions in the supply chain.
Federal Risk and Authorization Management Program
FedRAMP, the process by which a cloud service provider (CSP) obtains an authorization to sell as-a-service solutions to agencies of the federal government, is much more difficult than many initially think. One ill-conceived notion is that it is a checkbox security process that results in a license to sell throughout the federal government. Many don’t realize the considerable cost and time it takes to get a FedRAMP approval to operate (ATO) or provisional ATO (P-ATO).
With the appropriate agency sponsorship, which is necessary for ATO, or prioritization by the Joint Advisory Board (JAB), which is necessary for a P-ATO, Xacta helps organizations streamline the FedRAMP process by providing a simple way to ingest information, automating much of the necessary data collection and testing, and automatically generating documentation needed for authorization. Of the fifteen documents required for a FedRAMP submission, Xacta can automatically generate thirteen.
It’s been a tough year to say the least, yet our industry has adapted and thrived, in no small part due to the flexibility and resilience of cloud providers like AWS. Don’t miss out on this year’s Public Sector Summit, and while you’re there, I hope you’ll view my on-demand session and visit our virtual booth to learn more about Xacta and other cybersecurity offerings from Telos.