Extending Compliance Automation for process improvement with Compliance as Code

Posted by Marbenz Antonio on May 5, 2022

How to Meet Compliance with Automation | ProcessMaker

Supply chain interruptions, intellectual property theft, and the escalating cost of data breaches are just a few of the reasons for a sharp increase in worldwide cybersecurity compliance.

Regulated sectors have more strict regulations, and some firms increasingly use third-party audits to ensure compliance with cybersecurity guidelines rather than relying on internal personnel. The same standards may be used by non-regulated sectors to lower their security risk. Compliance automation is becoming increasingly critical as security professionals’ workload grows.

Why automate compliance in the first place?

Breach of data is costly. According to several statistics, the typical cost of a data breach is in the millions, and security professionals are already overworked. This is a solid argument for adopting automation to help compliance efforts.

Automation is the most practical way to improve your compliance activities due to understaffing and tight labor markets. Compliance automation is an important part of managing work and decreasing risk. Compliance as Code, an open-source initiative, provides tools to assist with this. To assist in verifying needed system configurations and remediating as necessary, security automation material is offered in SCAP, Bash, Ansible, and other forms.

About Compliance as Code

The Compliance as Code project on GitHub was born out of a partnership between government agencies and business suppliers to make Security Material Automation Protocol (SCAP) content more available to users. Since its beginning in 2011, the project has grown to integrate commercial security profiles such as PCI-DSS and CIS, as well as current automation technology.

Today, the Compliance as Code initiative provides commercial suppliers with general-purpose security content and building tools that they can swiftly develop and cooperate on. We’ve leveraged these skills to provide value to customers through automated compliance solutions. Due to the nature of the reports and procedure, compliance reporting might be difficult. It takes time and effort to ensure correct results in a spreadsheet, and it frequently repeats labor. Automated report production may boost productivity and get repeatable findings into the hands of consumers and contributors in less time.

A new approach to compliance reporting

Organizations, particularly those in regulated sectors, are frequently required to get an Authority to Operate (ATO) before they may install and utilize software in their environments. A Security Requirements Guide (SRG), which is a collection of technical controls like those contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, is used as part of this procedure.

This assessment determines if the software meets, does not meet, or can be adjusted to meet each control, as well as whether the control is applicable to the program in question. Other text-based information may be requested depending on the determined status.

To describe how to validate status, the evaluators may need to give manual instructions or code. They may also need to offer the code required to configure the program to satisfy a certain control to achieve that configuration. A Security Technical Implementation Guide (STIG) is the end result of this exercise: a configuration standard containing cybersecurity criteria for a given product.

When spreadsheets are involved, the already difficult task of developing STIGs becomes even more difficult. The US Defense Information Systems Agency (DISA) publishes spreadsheets including the security requirements for specific software as well as all the fields that may or may not need to be filled out depending on the status of each control, which can number in the hundreds. The following are some of the specific issues that a company can face when working on that spreadsheet:

  • Maintaining a record of who is doing/has done what
  • What fields must be filled out based on the control’s current status?
  • Assuring proper content layout
  • Assurance of quality

By automating the STIG creation and verification process, Red Hat is simplifying and streamlining Security Requirements Guide (SRG) processes to send Security Technical Implementation Guides (STIGs) to clients quicker and more efficiently.

The Compliance as Code codebase has been improved to generate STIG material based on previously validated tests. With automatic comma-separated values (CSV) file creation, the STIG content now inherits the test procedure that is already in place for Compliance as Code content and eliminates any mistakes.

Red Hat has begun the process by simplifying SRG processing, but it has no plans to stop there. Many of the same issues arise in other populations. We plan to use frameworks that apply to clients all around the world and across sectors to deliver holistic solutions. Compliance as Code is a place where people can collaborate and improve current solutions to better serve their customers and the community.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights