Today’s federal government and military are facing workforce shortages and vacancies in many important positions. However, none of these vacancies are as potentially harmful to the security of our nation as the shortages that exist in our federal cybersecurity workforce.
There are nearly 600,000 unfilled cyber jobs across the U.S. And the government and military are at a disadvantage when competing against private sector organizations for top cyber talent – unable to meet the higher pay and fringe benefits that private enterprises offer cyber professionals.
If the government and military are going to meet the larger, more sophisticated cyber risk that it faces from hacker groups and nation-state cyber threats, it needs to keep the cybersecurity workforce that it does have laser-focused on the mission. This means finding a way to automate redundant tasks that are lower value – although still essential – and enabling the existing cyber workforce to focus on higher-value responsibilities.
Some of the processes that could benefit from the increased efficiency of automation exist within government and military compliance requirements – where time-consuming, manual tasks could be optimized and streamlined with innovative technologies.
On March 24, 2022, the COO of SteelCloud, Brian Hajost, will be hosting a Webinar about how government agencies and military organizations can ensure compliance through automation. The Webinar, entitled, “RMF acceleration through eMASS Automation,” will illustrate the role that automation can play in enabling an efficient, effective, and exacting security approach.
In advance of the Webinar, the GovCybersecurityHub sat down with Hajost to talk about the cyberthreat facing today’s government, the time-consuming nature of compliance processes, and why automation is so essential for today’s government cybersecurity professionals.
GovCybersecurityHub (GCH): What is the Enterprise Mission Assurance Support Service (eMASS)? What does it do, and why was it created?
Brian Hajost: eMASS is a computer application that supports Information Assurance (IA) program management and automates the Risk Management Framework (RMF) process. It helps the U.S. Department of Defense (DoD) maintain IA situational awareness, manage risk, and comply with the Federal Information Security Management Act (FISMA 2002 & 2014).
eMASS is owned by the DoD and is managed by the Defense Information Systems Agency (DISA).
GCH: Which agencies utilize eMASS? Is it all of the government, or just certain sectors of the government?
Brian Hajost: eMASS is utilized by most of the components of the DoD. It supports a broad range of IA capabilities that are utilized by DoD components to support their RMF and ongoing compliance efforts.
There is also a plan to utilize a version of eMASS as a repository for CMMC compliance documentation for members of the Defense Industrial Base (DIB).
GCH: What are STIG Viewer Checklists and how are they created?
Brian Hajost: Checklists are XML files that are created for each STIG policy for each endpoint. So, for a typical workstation, ten checklists will be created. Checklists include STIG compliance information detailing both technical and non-technical data. Waiver or POAM information is also included.
“The issue is that traditional methods are so very labor-intensive and DoD components are challenged to keep up with systems going through the RMF process, let alone all of the systems already in production. “ – Brian Hajost
The non-technical data is completed manually by typing the information using DISA’s STIG Viewer desktop application. That data is then manually merged with XCCDF scan data and stored as individual XML files. So, if we have 1,000 workstations with ten policies each, 10,000 individual checklists will need to be created.
When complete, all of this information needs to be manually loaded into eMASS in order to register the compliance of each asset.
GCH: What impact can these manual processes have on government IT and cybersecurity personnel? Does it keep them from other, more mission-critical tasks?
Brian Hajost: The issue is that traditional methods are so very labor-intensive and DoD components are challenged to keep up with systems going through the RMF process, let alone all of the systems already in production.
“SteelCloud has developed an entirely new methodology that reimagines the bulk, fully integrated checklist production while streamlining the process for loading checklist data into eMASS. In the end, our process reduces about 95 percent of the effort to produce checklists and load the checklist data into eMASS. “ – Brian Hajost
The checklist process is also asymmetric in its execution. Scan data is timely and produced quickly while the manual control information is slow and labor-intensive. The result is that checklists loaded into eMASS are delayed and rarely represent the current state of the environment.
Traditional ways to update eMASS require significant cyber resources that might be better utilized on other projects.
GCH: Automation is a major topic of discussion around government agencies today, and the main focus of many government digital transformation initiatives. Is automation possible for many of these manual processes? How could automating these processes benefit the government?
Brian Hajost: Sometimes you can automate a manual function and sometimes you have to envision a whole new process. With eMASS and checklists, it is the latter.
Working closely with our DoD partners, SteelCloud has developed an entirely new methodology that reimagines the bulk, fully integrated checklist production while streamlining the process for loading checklist data into eMASS. In the end, our process reduces about 95 percent of the effort to produce checklists and load the checklist data into eMASS.
Additionally, we create generalized JSON output that can be used to load client dashboards. Operating at machine speed, DoD components can now quickly synchronize their checklist, eMASS, and SIEM data, ensuring that all data repositories represent the current state of their environments.
To learn more about how automation can streamline and optimize compliance processes within the government, click HERE to register for the upcoming Webinar, “RMF Acceleration Through eMASS Automation.”