For federal government agencies, it is not only a priority but a mandated requirement that the contractors and vendors they do business with have hardened cybersecurity compliance controls that secure their networks and protect the data and information they house. The Center for Internet Security (CIS) is an organization dedicated to assisting IT professionals in defining their infrastructure security action plans and meeting their benchmarks by rolling out sets of security controls across their IT systems.
Unfortunately, manually implementing these CIS controls can be arduous and time-consuming. And even once these benchmarks are met, they aren’t just “one-and-done” tasks that are checked off a list. Compliance is an ongoing process that must be visited often, especially when companies add new applications to their systems or when CIS publishes new updates. Due to this ever-evolving nature of compliance, sticking to manual CIS control implementation processes is not feasible if companies want to maintain regular compliance and do business with the government.
If manually rolling out CIS controls isn’t a viable option for government contractors, can automation play a role in assisting companies to reach CIS compliance? And if so, what automated solutions or products are available to government contractors that can help them become CIS compliant? To get answers to these questions and learn more about the Center for Internet Security, the GovCybersecurityHub sat down with SteelCloud COO Brian Hajost.
Here is what he had to say:
GovCybersecurityHub (GCH): What is the Center for Internet Security? What does the organization set out to achieve in the cybersecurity space?
The Center for Internet Security (CIS) is a nonprofit organization consisting of a community of IT professionals working to define best practices that companies can use to secure their IT systems and protect data. CIS started with humble beginnings back in August of 2000 with a small group of corporate and government IT leaders concerned about cyberattacks. Since then, the organization has grown into a global, collaborative effort that developed a set of security standards and technical configurations to help mitigate risk.
As a community-driven organization, CIS invites anyone interested to join its CIS Benchmarks and CIS Controls communities. In large part, the organization is well respected because the people working on the projects are actual technology professionals who know what they need and want to do their jobs.
Beyond establishing best practices, CIS also offer free and paid products that organizations can use, including compliance frameworks, benchmarks for system-level technical controls, security self-assessment tools, risk identification and assessment solutions, and more.
The CIS Controls are the compliance framework that CIS established. CIS Benchmarks are the guidelines for hardening specific operating systems, middleware, software applications, and network devices.
GCH: Does the federal government and the military require its contractors and commercial partners to achieve certain CIS baselines and benchmarks in order to do business with them? If so, what sorts of security controls are they requiring be applied?
Mandates for system-level controls typically come into play for contractors that are dealing with either classified data or CUI (Controlled Unclassified Information). By far, CUI is the most prevalent of the two and system-level control implementation is identified in NIST 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Many professionals consider CMMC as an extension to 800-171 adding maturity requirements and third-party auditing. System-level controls are the registry and configuration file settings that harden operating systems and applications, making them less susceptible to attack.
GCH: How can federal contractors identify the CIS Controls they are required to implement in order to do business with the government?
There are two system-level control regimes utilized in North America – STIGs (published by DISA) and CIS Benchmarks (published by the Center for Internet Security). Either control set can be used to satisfy 800-171/CMMC for the hardening of systems.
GCH: Once companies identify the controls they must apply in order to reach compliance, what does the manual rolling out process look like?
Speaking specifically about system-level controls, customers can implement them manually or use various tools to automate, or partially automate the process. Without automation it can literally take days or weeks to harden a single system. The complexity comes in where various system-level controls break various systems in different ways. It takes a lot of energy to determine what controls affect what systems.
GCH: Can CIS compliance be automated? How much time and resources can be saved by automating CIS compliance? What solutions and resources are available that can relieve the burdensome work of manually applying these controls?
Automation comes in two flavors. Automating the upfront hardening effort and producing artifacts for RMF and compliance creates the baselines for implementation and control in a production environment.
And secondly, automation of the implementation, remediation, and assessment of control in production. SteelCloud has developed and integrated compliance automation COTS software product that automates both these processes. Many of our clients achieve more than a 90 percent effort savings for the initial hardening and more than a 70 percent effort reduction for addressing drift and new policy updates in production.