2014 Digital Yearbook of Homeland Security Awards
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
and legacy systems are retired, saving both time and money.<br />
Some production clients manage over 1 million assets<br />
and have over 10,000 daily users. Benefits are incident<br />
reduction, 5 – 10x faster time-to-remediation, less audit<br />
failures, and 2 – 3x operational efficiency gains.<br />
Please describe a major federal agency<br />
using the Agiliance RiskVision approach.<br />
JF: The U.S. Department <strong>of</strong> Veterans Affairs (VA) is one<br />
such example. They were experiencing major operational<br />
efficiency issues stemming from their Assessment and<br />
Authorization (A&A) procedures. Per FISMA law, every<br />
online system must maintain an Authority to Operate<br />
(ATO) certification, and FISMA subjects must renew their<br />
ATOs for every major<br />
system change. For the<br />
agency, this meant manual<br />
gathering and assessing<br />
millions <strong>of</strong> check results<br />
generated by third-party<br />
security monitoring tools.<br />
The problem with this approach<br />
was the vast amounts <strong>of</strong> data it produced and great<br />
difficulty understanding the real meaning <strong>of</strong> the collected<br />
data and correlating it to the agency’s compliance posture.<br />
And by time the data was processed and analyzed, it<br />
was no longer actionable. All the time and money spent<br />
collecting it, was wasted. As a result, completing each<br />
ATO was a labor- and time-intense process, inhibiting the<br />
agency’s ability to meet their audit deadlines.<br />
The agency implemented RiskVision to collect data<br />
from their IT and security tools and perform real-time<br />
diagnostics and mitigation using NIST SP 800-137 and the<br />
NIST IR 7756 (CEASARS) risk frameworks. The VA project<br />
is the largest cyber security risk project in the world, conducting<br />
daily control checks for 1+ million systems for<br />
more than 130 technical controls at the VA centers in DC<br />
and Austin, Texas; providing access to 4,000 workflow and<br />
reporting users, as well as 400,000 policy attestation users.<br />
9<br />
Now the VA can cross-verify controls between federal regulatory<br />
risk management frameworks such as FISMA, NIST<br />
SP 800-53, and CyberScope. After deploying RiskVision, the<br />
agency achieved significant cost and time saving. Rather<br />
than collecting each bit <strong>of</strong> data generated by more than 1<br />
million data collection points, the IT personnel now gathers<br />
and stores highly relevant information and attends to<br />
high-risk issues in a timely manner.<br />
How does Agiliance see the future <strong>of</strong> Cyber<br />
<strong>Security</strong> Operational Risk?<br />
JF: Notwithstanding better analytics and decision-making<br />
from use <strong>of</strong> big data technologies, cloud-managed services<br />
is the new way to informed risk management. In<br />
<strong>2014</strong> alone, our clouddelivered<br />
clients grew<br />
over 600 percent versus<br />
2013, led by customers in<br />
the Financial Services and<br />
Healthcare industries.<br />
One <strong>of</strong> our Financial Services<br />
customers is already<br />
managing 200,000 critical assets with an end-to-end threat,<br />
vulnerability, and ticketing solution delivered on the<br />
RiskVision platform and several connected technologies,<br />
all in the cloud. We’ve developed RiskVision’s managed<br />
services to be cloud security hardened and ready for cloud<br />
risk programs that are deploying in the DoD, IC, and civilian<br />
agencies. With pioneering efforts <strong>of</strong> CSA, FedRAMP,<br />
NIST, and others on cloud security, and the need to stand<br />
up solutions with operational efficiency, over 70% <strong>of</strong> cyber<br />
security operation risk management will be centered in<br />
the cloud by 2018.<br />
I can be reached by Twitter: @joe_fantuzzi and<br />
by email: jfantuzzi@agiliance.com<br />
On behalf <strong>of</strong> Agiliance and our customers, thank<br />
you for an opportunity to share our perspectives with<br />
your readers.