A rising tide lifts all ships. This old adage can be aptly applied to security control inheritance. Whether you call it control inheritance or crowd sourcing, the reality is that, the more data sharing there is, the greater the benefit to the broader ATO ecosystem.
Control inheritance reduces the number of security controls organizations have to account for manually. Xacta users have told us that control inheritance contributes significantly to Xacta’s ability to increase efficiency and effectiveness in completing their ATOs — by up to 90% in some cases.
Basically, control inheritance is an easy button for control implementation and testing activities that are critical steps of the NIST RMF and FedRAMP ATO processes. More specifically, it is comprised of a community of system owners who choose to share their ATO data, in a trusted way, to help others achieve ATOs much more quickly.
How can Xacta help you? Let’s look at a few different scenarios:
- Do you use cloud services that have already been ATO’d by the cloud provider? The largest cloud service providers in the world are standardizing on Xacta to get their cloud environments ATO’d, and are using Xacta to automatically share their compliance data with their users who also use Xacta. Workload owners simply select the cloud services and resources they plan to use and ingest the data into their Xacta project to help complete steps 3 (Implement) and 4 (Assess) of the RMF and equivalent for FedRAMP.
- Does your system boundary also include other technologies that have already been ATO’d? No problem. A number of technology vendors are standardizing on Xacta to get their ATOs. These Xacta projects will be used to share compliance data with their customers. Simply select the applicable technologies and ingest this data too.
- Are there other systems in your organization that need to get ATOs and rely on aspects of your system for their ATOs? No problem. Set your Xacta project to be a provider of security control data to help your colleagues accelerate their other ATO activities.
- Do you want to limit when and with whom data is shared? No problem. Data owners can use their Xacta projects to define private vs shareable content, who can access the data, and when the data is available for sharing. All of this is controllable by you.
- Did any of the control content providers you rely on for data make changes to their provider content? No problem. System owners will be automatically notified via Xacta so they can review and accept the data into their project and tailor as needed.
Xacta uniquely offers highly orchestrated sharing of security control content at scale for on-prem, multi-cloud, and hybrid systems that require ATOs.
(On a side note, this type of data sharing will ultimately help make reciprocity a reality!)
Just another way that Xacta reduces the RMF and FedRAMP chaos.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.