Automation in the compliance arena is becoming increasingly ubiquitous. Yet many of the most significant innovations for automation are not found in the anti-bribery/anti-corruption space but in adjacent spaces. That message was once again driven home to me when I had the chance to sit down with Travis Howerton, Co-Founder and Chief Technology Officer (CTO) at RegScale for a podcast interview (Howerton’s interview will post on the Innovation in Compliance Podcast in August.)
What I found most interesting and indeed the most insightful for the compliance professional is that the US government is increasingly turning to automation and AI to meet its security and compliance standards. With the transition of FedRAMP from guidance to law, companies are now required to use it and meet certain cybersecurity standards to do business with the US government. NIST 853 Revision Five addresses regulatory change around privacy with GDPR and other things and includes new control families and changes to existing ones.
As the government continues to revise its standards, the need for automation is becoming increasingly important. The National Institute of Standards and Technology (NIST), a standards body within the federal government, is working with the Open Security Controls Assessment language (OSCAL) team to develop standards. NIST has interacted closely with the OSCAL team, creating an open-source repo on GitHub and building communities of interest. Additionally, NIST works with other government agencies, tool providers, and industry to develop standards.
FedRAMP provides clarity of goal for vendors and customers but is expensive and time consuming to achieve. Cybersecurity is no longer a cost center, but a requirement to do business with the US government. The Department of Defense requires companies to meet certain cybersecurity standards to do business with them. Other agencies are taking similar stances in regard to cybersecurity. Companies are now required to have a compliance program to do business with them. Cybersecurity is now seen as one of the top risks to businesses, causing legal risk, revenue loss, and embarrassment.
The government is driving the need for robust cybersecurity down the supply chain. Cyberattacks can be used for a number of nefarious reasons, including theft of IP. The government is looking to make cybersecurity a requirement in law and contracts and can cancel contracts for cause if not met. Boeing now has the clout to require companies to have a NIST certified or attested cybersecurity program.
NIST 853 Revision Five is the latest version of the government’s standards for cloud services providers. It includes new control families and changes to existing ones. It is expensive to develop a Rev Four package and the government is likely to continue to revise the standards. Third party assessment organizations will have to train up on new families and redo a lot of work to meet the new standards. Cyber hiring metrics in the US show that there is not a surplus of people to meet the increased demand for Rev Five.