homeblogpuppet supports dod continuous compliance and configuration management

Puppet supports DoD continuous compliance and configuration management

Puppet Enterprise now offers Compliance Enforcement Modules aligned to DISA STIGs Benchmarks. The Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) were built to safeguard our most critical security systems and data against a dynamic threat environment, yet monitoring and enforcing widely deployed infrastructure at the U.S. Department of Defense (DoD) scale is a formidable task. With hundreds of STIGs requirements that change regularly, it is also an ongoing challenge.

Puppet by Perforce understands these issues, as more than 50 percent of U.S. federal cabinet departments and 70 percent of contractors use Puppet technologies, with many of the largest branches of government leveraging Open Source Puppet or Puppet Enterprise. Continuing that commitment to the DoD, Puppet has launched an update to its Compliance Enforcement Modules (CEM) that align to DISA STIGs.

How Compliance Enforcement Modules optimize agency systems and resources

Each new system brought into a network consumes valuable resources. It can be extremely time-consuming to determine which benchmarks apply to which systems, depending on the operating system (OS), role, version, or environment. This process involves various IT teams, including security and/or compliance teams who must validate the reference system and create complex reports which then must be interpreted by the operations team to determine the root cause of the issue.

Compliance Enforcement Modules provide self-enforcing policy as code that reduces the staff hours and network resources needed to add and enforce the STIGs compliance of each new system.

Puppet Comply and Compliance Enforcement Modules give operations teams the tools they need to:

  • Eliminate manual tasks and possible interpretation errors by automatically scanning, enforcing, and remediating desired states as defined by DISA STIGs
  • Limit overall costs by streamlining and combining the processes involved with finding and rapidly fixing compliance issues
  • Expedite time to value by continuously reinforcing the desired state for new system deployments
  • Reduce the team’s learning curve using one proven enterprise DoD solution

Puppet Enterprise, Puppet Comply, and CEM deliver the tools DoD agencies need to free their staff to focus on more high-value projects, streamlining deployment of the systems that move them closer to mission success.

Compliance Enforcement Modules create trusted security and compliance posture

IT teams can often feel like they are chasing compliance, introducing more risk as they attempt to write remedial code. They depend on the security and the compliance team to run scans before they can approach remediation. This can lead to expensive delays. At the same time, DoD infrastructure and regulations are incredibly complex. Maintaining every server at 100 percent compliance would break other applications and services, leading to exceptions for specific system controls. Tracking all of those workarounds manually and reconciling them against each scan report is time-consuming and delays the development process.

Puppet Comply and Compliance Enforcement Modules create a trusted posture that allows IT operations teams to update once and deploy everywhere to:

  • Streamline the process of deploying new systems by establishing DISA STIGs as code
  • Access remediation status immediately with intelligent continuous compliance
  • Ensure compliance estate-wide with enterprise features such as dashboards, dynamic reports, and configurable exception handling
  • Maintain continuous compliance and audit readiness by understanding and addressing compliance status in real-time

Our goal is to make it as easy as possible for DoD agencies that need to ensure a continuously secure state in compliance with mandates like DISA STIGs.

Puppet by Perforce has proven expertise in secure, mission-critical programs such as DCSG-A and deploying across large-scale environments. The Puppet team also manages these modules and updates them as STIGs are updated and changed, allowing users to focus solely on their infrastructure compliance. For DoD teams in the Red Hat Enterprise Linux 7 environment, CEM with DISA STIGs support is available now, with support for additional operating systems expected in 2023.

Charles Sanders is a Product Marketing Manager at Puppet by Perforce.

Learn more