Ensuring compliance with DISA STIGs, NIST 800-53, CMMC, and RMF

This blog is the second in a four-part series on infrastructure automation for government agencies that are modernizing digital systems while grappling with budget and staffing constraints and the challenges of COVID-19. Read the first post here.

Compliance with different institutions and their various standards — such as the Defense Information Security Agency (DISA) Security Technical Implementation Guide (STIGs), the National Institute of Standards and Technology (NIST) SP 800-53, the Cybersecurity Maturity Model Certification (CMMC), and Risk Management Framework (RMF) to name a few — can be an arduous task. Each STIG could specify a few hundred controls needing implementation and compliance drift can occur over the course of time. However, failure to comply can result in millions of dollars in fines and scrutiny for agencies and their program managers.

The current state of security compliance in government agencies

DISA STIGs specify a set of policies, security controls, and best practices for securing operating systems, applications, and more. Government agencies must comply with relevant STIGs, and there are heavy fines for failing compliance audits. Defense agencies are mandated by DODD 8500.1 to meet STIG specifications, and there are more than 490 STIGS to date. Multiply the number of STIGs by thousands of servers to be managed in any one agency and you will conclude that managing compliance can be a very daunting task. Manual implementation is tedious and very resource-consuming.

It’s also entirely possible to be in compliance today but not in compliance tomorrow, as system states are known to drift off course over time. For agency and program security teams, it often feels like a never-ending catchup to ensure all of the systems are in compliance. Automation is the clear path forward.

How infrastructure automation can help

Infrastructure automation, when used for compliance, can automate and monitor system configurations to comply with DISA STIGs, NIST 800-53, CMMC, and RMF. There are many community-driven templates available for popular applications and systems. While automation is extremely helpful in configuring systems to be compliant at deployment, system states will inevitably drift over time and fall out of compliance. There will also unavoidably be rule conflicts. So, you want to make sure that your compliance automation platform checks for drift and intelligently handles rule conflicts. Ideally, the system can continually monitor each system and enforce a compliance state as frequently as every 30 minutes. This alone can help massively reduce workforce costs associated with compliance audits.

What to look for in a compliance automation system

Do you think a compliance automation system might work for your agency? Here are a few questions you should ask when evaluating compliance automation platforms:

  • Scalability – can the platform handle thousands of systems without breaking a sweat or your budget? You want to make sure that scaling will be painless.
  • Compliance reporting – are there out-of-the-box reporting templates? You shouldn’t have to trade compliance headaches for reporting headaches.
  • Monitoring frequency – how often can each system state be verified? Weekly? Daily? The best-in-class approach is every 30 minutes.
  • Ecosystem support – does the platform integrate with most of the systems in your environment?
  • Air-gapped operations – can the system function in environments with no or limited network connectivity?

Puppet Enterprise delivers powerful compliance automation advantages

Define once. Apply everywhere: With Puppet Enterprise, you can define security and compliance policies as code and automatically apply the appropriate settings to node groups dynamically and reach hundreds or thousands of nodes at once. You can assign enforcement policies so that new systems automatically inherit compliant configurations based on their system facts.

Model-driven automation: After defining your baseline compliant state configurations, Puppet Enterprise continuously checks your infrastructure every 30 minutes. If a system drifts from its compliant state, it automatically makes corrective changes. The system allows you to mitigate the risk of non-compliance between scans by enabling IT ops teams to immediately validate that remediations were successful.

Continuous compliance: Continuous compliance can be at odds with continuous delivery for some systems, ensuring compliance at the expense of speed and agility. Organizations with ambitious digital transformation initiatives can’t afford to make that tradeoff. Puppet Enterprise makes compliance scalable and predictable by enforcing policy as code as part of DevSecOps workflows. Plus, Puppet Comply can be employed to enable continuous compliance across hybrid infrastructure by scanning for adherence to security requirements, ensuring secure system configuration.

View compliance status holistically: With scanning and reporting designed for IT operations, Puppet Enterprise allows teams to assess infrastructure-wide compliance and quickly identify machines that don’t meet benchmark requirements. Puppet policy assessment technology is certified by the Center for Internet Security (CIS) to ensure CIS Benchmarks are met without taking extra steps.

Bridge skill and resource gaps: You can remediate compliance failures and build a framework for ongoing compliance with content created by a Puppet expert and tailored to your environment. Or you can create cross-platform content easily with Puppet’s approachable and straightforward language for non-expert resources.

Reduce the burden of audit preparation: Puppet Enterprise allows you to reduce workforce costs associated with compliance and generate automatic reports to stay ahead of audit preparation.

With the right platform and a full suite of content implementation services, agencies can meet all compliance requirements while reducing costs and avoiding hefty fines. As described in our first blog in the series, one federal agency in the energy sector leveraged Puppet automation to meet strict IT security standards, taking their Linux servers from 30 percent to 98 percent STIG compliance. This significant improvement saves them a lot of money on fines paid for non-compliance while gaining complete visibility over their infrastructure. Puppet ensures servers are configured correctly to meet the requirements — and helps them stay that way. Learn more about this in their video interview.

In the next blog, we will look at how automation can help assure digital transformation projects.

Alexa Sevilla is a Principal Product Marketing Manager at Puppet.

Learn more

  • Watch how a U.S. government agency uses Puppet to meet strict IT security standards.
  • Learn more about navigating the "new normal" with self-healing infrastructure automation for government agencies.
  • Read the solutions brief on Assured Security Compliance for Federal Agencies
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.