In this episode, we sat down with AJ Yawn, Author of the upcoming book GRC Engineering for AWS and Director of GRC Engineering at Aquia, to discuss how GRC engineering can transform compliance.
AJ Yawn stated: "The biggest barrier isn't technology, it's knowledge. Most federal risk management framework (RMF) and cloud security professionals were trained in traditional waterfall approaches to compliance. " This misses the REAL problem -- their training is a reflection of what DISA and Cyber Command demand. If DISA and Cyber Command changed their approach then the people who have to follow the dictated approach would change. Have you ever read the horrible proscriptive DISA Application Software Development STIG? This STIG requires a certain amount of waterfall to pass and even for an organization that is doing everything correctly, just proving up you are compliant is man-years of effort. And there are few clues in this STIG as to what is really required. Where are DISA's IaC templates and template documents -- that if used guarantees a compliant ASD process? Almost none of this should be prose. The templates for pipelines, supporting servers like Nexus, Nessus, Gilab, Microsoft DevOps, etc. should all be defined. The problem is the dictates of the organizations the people have to work with, not their lack of training.
AJ Yawn stated: "The biggest barrier isn't technology, it's knowledge. Most federal risk management framework (RMF) and cloud security professionals were trained in traditional waterfall approaches to compliance. " This misses the REAL problem -- their training is a reflection of what DISA and Cyber Command demand. If DISA and Cyber Command changed their approach then the people who have to follow the dictated approach would change. Have you ever read the horrible proscriptive DISA Application Software Development STIG? This STIG requires a certain amount of waterfall to pass and even for an organization that is doing everything correctly, just proving up you are compliant is man-years of effort. And there are few clues in this STIG as to what is really required. Where are DISA's IaC templates and template documents -- that if used guarantees a compliant ASD process? Almost none of this should be prose. The templates for pipelines, supporting servers like Nexus, Nessus, Gilab, Microsoft DevOps, etc. should all be defined. The problem is the dictates of the organizations the people have to work with, not their lack of training.