Government

SignaCert Solutions for Government - including Agencies and DoD

Virtually all IT processes in government are driven by regulations. Within the Federal Agencies, budgets are set and IT compliance is reported to the Office of Budget and Management (OMB). Best practices and regulatory methods are established largely by the Federal Information Security Management Act (of 2002), or FISMA. FISMA is continually updated by circular and memorandum by OMB.

These memos are increasingly mandating standard configurations for desktops and servers, as well as documented processes for certification and accreditation. Two important recently announced requirements include the Security Configuration Automation Protocol (SCAP) and Federal Desktop Core Configurations (FDCC); these take required IT controls under FISMA to the next level. OMB is requiring that agencies implement both SCAP and FDCC by February 1, 2008.

Similar specifications and procedures are being developed for immediate implementation within the Department of Defense.

Every year, Agencies and DoD spend enormous amounts of time and money to deploy and re-certify, and IT measurement and controls are increasingly mandatory to enable these method in asystematic and cost-effective manner.

SignaCert can dramatically reduce the cost of re-certification, while putting in place IT quality controls and measurement that can help affirm IT operational excellence.

The Transition from Negative to Positive Model

Traditionally, most IT sectors have fully relied on the negative model for information security and systems management. Negative models make many assumptions:

  • Most problems are have malicious intent
  • A defined IT perimeter
  • We can keep up with a high velocity of"un-known" threats

Increasingly we have come to realize that full reliance on these assumptions, and underlying technologies such as Anti-Virus and various intrusion detection / prevention methods are insufficient.

As standard configuration and image methods advance, we have a new opportunity to supplement the tradition methods with proactive software assurance.

Through IT instrumentation, and rapidly developing software assurance methods, we are now able to proactively establish known and trusted states and manage and measure to the known code, in addition to defending against the suspect code.

This in effect enables high-resolution change detection while pushing the instrumentation method closer to the actual devices that are most susceptible to system drift. This includes servers, workstations, clients and other devices where un-known and un-authorized changesare known to cause instability, and increase the risk profile.

With positive software assurance we can verify to a common baseline of known and trusted code sets across the entire domain. Exceptions (additions, deletions and changes) from the pre-established runtime code set can be easily flagged and remediated.

SignaCert can help you to:

  • Independently verify and prove that applications are deployed as intended, even long after they have been pushed into production. This includes patch validation, measured at the binary and library level, not just proxy-based information. Moreover, measurements areagainst known references, including standard images and STIGs, that can detectdeviations from codebases and system settings.
  • Ensure regulatory compliance by showing definitive proof that applications are deployed as intended; keep a historical audit trail of all changes overtime. This can dramatically reduce the time and manpower required to meet FISMA Certification and Accreditation mandates.
  • Use Trusted Connect Methods, by assessing system health for all TCM methods and evaluate the system health for connecting machines.