Virtustream Security Solutions - Compliance as a Service (CaaS)

The ComplyVision solution for Cloud Security Authorization enables agencies to meet the regulatory requirements of C&A Automation and Continuous Monitoring (CM). The solution addresses the requirements of a stand-alone, cloud-based or a hybrid System and can be deployed in a private, public or community cloud environment.

The ComplyVision Compliance as a Service (CaaS) supports various service models as well as the deployment models in cloud-based environment. This makes the solution elastic, metered and cost effective, all characteristics of a cloud based offering.

The ComplyVision CaaS solution addresses the complex Security Certification and Authorization (C&A) needs of Cloud based Systems. The solution addresses various regulations such as FISMA, HIPAA as well as commercial regulations such as GLBA, SOX and PCI. It incorporates Information Assurance frameworks like the NIST 800-53rev3, DIACAP DODI 8500.2, FedRAMP, CNSS 1253 as well as ISO 27001. It provides a unique ability to fully transform packages from one IA framework to the other, without requiring a re-write of the System C&A documentation.

The ComplyVision CaaS solution fully implements the six-step Risk Management Framework (RMF) described in NIST Special Publication (SP) 800-37Rev.1. The CaaS solution can be embedded in the cloud by a Cloud Service Provider (CSP) or used by an enterprise client for private cloud or community cloud-based Systems, to certify and maintain the Security Authorization of the Information System.

NIST SP 800-37 Rev1 - Risk Management Framework (RMF)

NIST 800-37 Rev.1 (Chapter 3, P.36) says, "Organizations may choose to eliminate the authorization termination date, if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system". The organizations must still maintain formal authorizations and acceptance of risk but may leverage results of continuous monitoring assessments to support the ongoing authorization to operate (ATO).

The initial ATO and ongoing Continuous Monitoring are required for newly procured systems as well as for continued operation of an existing system. Continuous Monitoring encompasses everything from monitoring changes to the System asset components, Situational Awareness data from assets, to conducting ports and protocol analysis using vulnerability analysis tools and keeping the system related Plan of Action and Milestones (POA&M) updated. It also includes policy monitoring and documentation updates for annual or significant change related re-certifications.

ComplyVision Solution for Continuous Monitoring

The ComplyVision solution allows agencies to meet the key requirements of Continuous Monitoring including:

The Virtustream Security Solutions ComplyVision™ solution has been designed to guide agency C&A teams through a structured methodology that strictly follows the NIST/DOD standards and helps meet the requirements of Continuous Monitoring. It also helps C&A team to prepare the initial and subsequent updates to C&A packages, complete with the necessary documentation for getting and maintaining the Authorization to Operate (ATO).