COMPLIANCE CHALLENGES
PRODUCED BY: SPONSORED BY:
  GAME CHANGING TECHNOLOGY TO MEET AGENCY MISSIONS
REGULATION OVERLOAD
With new and evolving federal mandates, maintaining compliance is a major challenge.
FISMA. FIPS 140-2. FedRAMP. Cloud First. Every year, it seems federal agencies are being asked to comply with more IT-related regulations. While these mandates are critical for smooth, safe, cost-effective government operations, they also can be confusing.
and how to enforce and maintain compliance is a constant struggle.
veri ed for compliance with applicable regulations. And typically, agencies don’t have a budget line item allocated for compliance. It’s up to agencies
Yet noncompliance isn’t an option. Not only does it result in sanctions against agencies, but avoiding compliance can expose sensitive data to serious risks, disrupt services, and even lead to  nancial loss. There’s
no doubt achieving and maintaining compliance is a complex process, at best. Determining which mandates are critical, which requirements overlap,
Time is another inhibiting factor. In the past, updates to hardware,  rmware, and software were released a few times per year. Today, updates are released almost weekly. Every update must
not only be implemented, but  rst
Achieving and maintaining compliance takes much focus, knowledge, time, and hard work. Experts suggest the best way to reach these goals is by automating as much of the process as possible. With
Other concerns include lack
of personnel, time, and budget. Agencies don’t often have quali ed personnel who can both understand
the requirements and thoroughly implement them. Many turn to external consultants to help, which can add costs and an additional level of management complexity.
to carve one out from an existing IT budget—often the maintenance budget—to ensure compliance.
FEDERAL MANDATES AND WHAT THEY MEAN
the right technology, agencies can automate controls, testing, and schedule compliance scans that will  ag issues requiring eventual remediation.
   A partial list of the most widespread federal regulations
What is it?
Who needs to comply?
Major compliance challenges
   Requires information security controls using a risk-based approach
All federal agencies, state agencies that administer federal programs, and private  rms that support federal programs, sell services to the federal government, or receive federal grant money
   A standardized approach to security assessment, authorization and continuous monitoring for cloud products and services
Federal cloud deployments and service models at the low and moderate risk impact levels
    Agency CIOs control IT investments; agencies must provide OMB with a comprehensive inventory of data centers
Noncompliant processes, improper delegations, improper approval processes, undocumented approvals
    Required for procurement of IT systems for the federal government
Federal agencies, g contractors, and state/local government projects spending federal money
   Security products that have met this certi cation are eligible for purchase by federal agencies
Federal agencies and select state/ local agencies
     Requires federal agencies to implement NIST’s Cybersecurity Framework (NIST 800-53)
Federal agencies and select state/ local agencies
   FISMA
FEDRAMP
FITARA
FIPS 140-2
Common Criteria
President’s Cybersecurity Mandate
Cloud First
Embrace cloud  rst, before resorting to other options
Federal agencies and select state/ local agencies
Layer 2 network discovery, collection and mapping of devices to services/ applications, device classi cation, inventory maintenance, and proper security controls
Complete system inventory, effective vulnerability testing, accurate system boundary de nitions
Gaps in budget formulation, execution, acquisition and workforce
Use only FIPS approved/NIST recommended crypto algorithms; Crypto must be implemented in a NIST validated crypto module
N/A
The relatively vague nature of the wording leaves the details of implementation to individual agencies
Budget/justifying ROI, security concerns
              GameChanger