Home  /  Empower and Protect  /  Xacta and IT GRC: Similar Tools for Different Jobs

Xacta and IT GRC: Similar Tools for Different Jobs

By Rick Tracy •  October 28, 2019

The cyber risk management and compliance landscape can be complicated, especially for an organization that doesn’t know what their requirements are, let alone how to address them.  When I’m asked how Xacta differs from traditional IT governance, risk management, and compliance (GRC) solutions, I explain with the following analogy:

If a GRC solution is a hammer, then by contrast, Xacta is a screwdriver.  Both tools are useful, but are designed to perform similar — but different — functions.

At a very high level, GRC solutions and Xacta are both used to manage IT risk and compliance.  However, Xacta is purpose-built to support NIST standards (e.g., the RMF) and NIST-derivative frameworks (e.g., FedRAMP). Telos has twenty years of specific experience under our belt and thousands of users specifically in the area of operationalizing NIST security controls.  All of this has helped us refine our solution over time.

GRC is a general-purpose function that can be tailored to organizational desires and preferences, whereas authorization to operate (ATO) processes like RMF and FedRAMP are very prescriptive.

If capabilities like C-I-A calculation, automatic control selection, control implementation, common control inheritance, BOE, POA&M, SSP, and continuous monitoring aren’t core competencies of the solution you’re considering, it’s a GRC solution.  If your systems require RMF and FedRAMP, then what you need is Xacta.

Could a traditional, general-purpose GRC solution be adapted to support NIST frameworks?  Potentially, but why would you do that when the right tool already exists?  Could you figure out how to fasten a screw with a hammer?  Probably, but how much time and cost is involved with adapting a tool to do something it wasn’t designed for?

In the end, using a hammer to pound in a screw isn’t the best solution.  Likewise, if a GRC solution will require lots of time, cost and customization to address specific NIST requirements, then why not just use the right tool for the job?

The compliance and IT risk management landscape is littered with failed projects where an organization tried to use a GRC tool to support end-to-end ATO activity.  When it is the wrong tool for the job, everything needs to be created from scratch by vendors that don’t have deep domain experience.  The result is costly, time-consuming, and functionally incomplete solutions that generally don’t work (or satisfy the customer).  Purpose-built solutions like Xacta are a much better choice because they are designed to support frameworks like RMF and FedRAMP from the ground up.

Each tool has a purpose.  You should use the right tool for the job.

Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

two × 5 =