Security compliance is, for some users, unavoidable. Legal regulatory requirements like FISMA, which mandate the use of risk management frameworks like NIST RMF or DoDRMF, can add non-trivial cost and risk to any project.
The impact of compliance on a system's overall security posture is positive. However, for compliance-encumbered projects, simply complying with regulatory requirements should be considered necessary-but-insufficient from an infosec perspective.
Further, the infosec community as a whole could benefit from a more effective feedback loop between security compliance (passive) and offensive security practices like penetration testing (active).
In this light, the Red Team Project will be helping to document and automate compliance tasks in order to:
- Reduce the time and risk burden to projects by automating compliance with tools like Ansible and our 800-53 role
- Accelerate the A&A process by providing template bodies of evidence (BoE) for open source projects
- Pentest security-compliant configurations to help actively identify gaps and provide constructive feedback to regulators
- Build community with infosec practitioners and encourage them to take a more active role in making security compliance more relevant and effective
Check back soon for updates.