Chris. Tremendous article. Would love to add that bias in auditing along with lack of audit tools that have full independence separated from ops side (biased) tools is critical. ZeroBias Auditing is the only way to unlock a cATO by a 3PAO. Ecosystem incompatibility with OPS side compliance/ security/ config tools balanced by fully independent zero bias external auditing is the only way to drive risk out of the risk party
I’d also like to point out that under the section of continuous monitoring the author mentioned AWS Audit Manager as an example offering but it’s important to know that as of this article being published, AWS Audit Manager is not available in AWS Gov cloud.
Eric, thanks for pointing this out. This is a perfect example of a service that would make it easier to perform real-time compliance monitoring and assurance not even being approved by the FedRAMP process itself for GovCloud. While I know this wasn't the intent of your comment, you made my case for me better than I could. AWS announced General Availability of Audit Manager on December 8th 2020. Here we are almost 2 years to do day and this innovative service still isn't available to AWS Government customers. (https://aws.amazon.com/about-aws/whats-new/2020/12/aws-announces-aws-audit-manager/)
This is an excellent article that is full of insights and valuable references to go and explore. I do wish that some of the more reputable FedRAMP-In-a-Box platform accelerators were mentioned rather than simply to beware of their promises...which is always the case.
Chris. Tremendous article. Would love to add that bias in auditing along with lack of audit tools that have full independence separated from ops side (biased) tools is critical. ZeroBias Auditing is the only way to unlock a cATO by a 3PAO. Ecosystem incompatibility with OPS side compliance/ security/ config tools balanced by fully independent zero bias external auditing is the only way to drive risk out of the risk party
I’d also like to point out that under the section of continuous monitoring the author mentioned AWS Audit Manager as an example offering but it’s important to know that as of this article being published, AWS Audit Manager is not available in AWS Gov cloud.
Eric, thanks for pointing this out. This is a perfect example of a service that would make it easier to perform real-time compliance monitoring and assurance not even being approved by the FedRAMP process itself for GovCloud. While I know this wasn't the intent of your comment, you made my case for me better than I could. AWS announced General Availability of Audit Manager on December 8th 2020. Here we are almost 2 years to do day and this innovative service still isn't available to AWS Government customers. (https://aws.amazon.com/about-aws/whats-new/2020/12/aws-announces-aws-audit-manager/)
Excellent example.
FYI, Audit Manager is on the GovCloud road map for early Q3 of next year (2023). It took a while, but it's coming.
This is an excellent article that is full of insights and valuable references to go and explore. I do wish that some of the more reputable FedRAMP-In-a-Box platform accelerators were mentioned rather than simply to beware of their promises...which is always the case.