We recommend laying out an initial observation period with your AO of 6-12 months. During this time, meet regularly with assessors and your AO to demonstrate the results of your greatly improved implementation, assessment, and continuous monitoring processes. Set conditions for gaining an ongoing authorization and report on these metrics during these performance reviews. This is also your opportunity to outline recommendations for continuous improvement initiatives, and obtain feedback from assessors and AOs to achieve the virtuous cycle we laid out in our ‘why’.
Aside from monitoring via automation, embedding Assessors and Privacy Officers should be staffed organically to:
- Review security scan results when developers mark findings as false positives, or decide to suppress for future sprints
- Provide feedback to developers if disagreements arise
- Assist developers with mitigations
- Review security tasks as developers complete them
- Provide feedback to developers if implementation details aren’t sufficient
- Monitor system diagram and overall SSP for changes
- Perform spot checks on the cATO process
- Perform Penetration Testing exercises
Perform independent spot checks and penetration tests during this time. There will be findings. Explicitly reject unrealistic standards like ‘zero findings. Instead, focus on time to discovery and time to remediation as key metrics–your continuous delivery capability applied to remediation will impress even the most risk averse of stakeholders.
In summary, just like building software, managing risk is a continuous process... it is never done. A successful risk management program requires us to treat risk as a first class citizen. Continuously monitoring our security and privacy controls is how we will retain confidence in our security posture and program. Here is a good starter strategy that will ensure we remain honest with ourselves:
- Product teams are responsible for continuously managing security and compliance risks that are surfaced by security vulnerability scanning solutions (e.g. SAST, SCA, DAST, Image/Container, etc.).
- Product teams and Security Control Assessors are expected to meet at least weekly to discuss upcoming release plans for the product, changes in security vulnerability posture, and any product context that should be updated within security vulnerability scanning tool project surveys.
- Security Control Assessors and Privacy Officers are responsible for ensuring product teams are complying with policy expectations.