Shawn Elliott,
Vice President, Federal Solutions
In an organizational context, “being in compliance” refers to an organization conforming to the applicable standards and rules set by governing entities. These standards and rules can be both external (e.g. laws, industry standards, regulations) or internal (e.g. company policies). Failure to adhere to applicable standards can lead to severe consequences for any organization, including U.S. government agencies. Potential consequences may include disruptions in business, reputation damage, financial fines, legal action, and more.
Due to the fast-moving nature of Information Technology, one of the most complex and constantly evolving regulatory areas is cybersecurity. As U.S. government agencies may have access to classified, protected and sensitive information, these agencies are tasked with managing the difficult landscape of cybersecurity risk to protect public welfare.
To mitigate the potential risks associated with cybersecurity, agencies often utilize compliance management programs to gain visibility on which standards they need to comply with and plan the steps required to enable this compliance.
Compliance risk is generally defined as an agency’s exposure to potential consequences should it fail to comply with a given standard or rule. Understanding compliance risk is a key input to any compliance management program, both at the program initiation and as standards and rules change over time.
Compliance is a complicated subject and can be difficult to manage without fully understanding the requirements and the repercussions of compliance failure. To help organizations navigate compliance some regulatory bodies (such as the National Institute of Standards and Technology (NIST)) have released guides and other helpful documents. One such guide is the NIST Special Publication 800-30: Guide for Conducting Risk Assessments, which outlines best practices for conducting compliance risk assessments in cybersecurity.
In this article, we’ll explore the importance of compliance risk assessments in cybersecurity for U.S. government agencies, how to conduct a compliance risk assessment in 4 steps, and how IPKeys can help your agency manage cybersecurity compliance risk.
What is a compliance risk assessment?
A cybersecurity compliance risk assessment is a process that is conducted to identify, evaluate, and document any areas in which an agency may potentially fail to comply with applicable standards and rules. Additionally, a compliance risk assessment will evaluate the consequences to an organization should compliance failure occur. These assessments are generally conducted as a key process within an organization’s compliance management program.
Why it’s important to conduct cybersecurity compliance risks assessments
Though sometimes it can feel like standards are confusing and even arbitrary, being in compliance is generally highly beneficial to agencies. Standards have been set by governing bodies to improve security, quality, safety, and more.
Apart from the benefits of compliance, failure to comply with these standards and rules can lead to severe consequences for any organization. One of the most well-known examples of compliance fines is the 2021 Amazon fine. In July 2021, Amazon was given a 746 million Euro fine by the National Commission for Data Protection in Luxembourg for violating data privacy regulations. Another example is the recent Bittrex fine. On October 11, 2022, Bittrex was fined 29.8 million USD for violating U.S. sanctions and the Bank Secrecy Act.
Compliance doesn’t just impact large organizations or agencies. A 2018 study found that 18% of startup company failures were due to regulatory or legal challenges.
Compliance risk assessments can help U.S. government agencies in initiating and maintaining their compliance management system. Without a compliance risk assessment, an agency will not have visibility on which areas pose the greatest risk, and therefore where to prioritize risk management efforts. It is virtually impossible to eliminate all risks in the operation of an agency, and therefore understanding the potential severity and likelihood of risks is essential to determine which risks are acceptable, and which risks require controls to mitigate or eliminate.
Compliance risk assessments may also take place periodically to evaluate the impact of changing standards and rules on the current compliance management program. Having effective risk assessment procedures in place can expedite the process and allow for more efficient identification of risks and implementation of controls.
Change may also occur internally rather than externally. For example, an agency may be offering a new service or working with new software tools. In these cases, performing a compliance risk assessment may be a key process in evaluating the risks associated with this new endeavor.
How to conduct a compliance risk assessment in 4 steps
Though compliance risk assessments can require significant effort to conduct, the principles behind the process are relatively straightforward. The overall methodology for conducting a compliance risk assessment can be completed in 4 steps:
- Identify compliance risks
- Assess risks for severity and probability
- Prioritize risks and create control strategies
- Reevaluate potential risks regularly
Step 1: Identify Compliance Risks
Identifying which standards apply to your agency is a crucial first step in any compliance risk assessment. It is not possible to enact effective controls without understanding what risks you are protecting against. While it may sound like a simple task to identify standards applicable to your agency, this can be a significant undertaking. Standards are an ever-changing topic with many layers and organizations involved. For example, a U.S. government agency must comply with all relevant cybersecurity standards, including international standards (including ISO, IEC, SAE, etc.), national standards (including NERC, NIST, FIPS, etc.), and potentially industry-specific standards (such as PCI DSS or UL).
To complete this step, the compliance risk assessment team will distinguish the agency’s services, locations, and other factors which may impact compliance standards and rules. Using this information, the risk assessment team will then identify and document any regulations, standards, or rules that apply to the agency.
If the compliance risk assessment is being completed as a regular check (i.e. not as the initial risk assessment conducted by the agency), this step will primarily involve evaluating any changes that may impact compliance requirements, as well as reviewing any adjustments made by governing entities for compliance requirements since the last risk assessment was conducted.
Step 2: Assess the Potential Risk outcomes and the likelihood of a risk event occurring
In this step, the compliance risk assessment team will further evaluate the compliance risks identified in Step 1. Each identified risk will be assessed for at least two measures: The potential consequence (severity) and the likelihood of the risk occurring (probability) if no further action is taken. Depending on the compliance risk assessment plan, other factors may also be evaluated such as the effort level required to mitigate the risk or risk history.
It should be noted that both the severity and probability measures assume that no further action is taken. This acts as a baseline for prioritizing the risks (to be completed in Step 3). If your agency already has controls in place (and therefore this risk assessment is being conducted as a reevaluation), then some risks may already be mitigated by these controls. Therefore, the potential risk may be lower for your agency than for a similar agency that does not have comparable controls in place.
Step 3: Prioritize Risks and Determine Necessary Controls
So far (in Steps 1 and 2) the compliance risk assessment has focused entirely on information gathering. In Step 3, the measures determined in Step 2 (severity and probability) for each risk will be utilized in formulating actionable plans.
The measures produced in Step 2 are weighed in Step 3 to determine a prioritized ranking of the identified compliance risks. Typically, the compliance risk assessment team will determine an “acceptable risk value”. Every risk which scores over this acceptable risk value will be identified as a risk that requires mitigating controls.
Depending on whether the compliance risk assessment you are conducting is the first for your agency (setting up your compliance management program) or a reevaluation of an existing compliance management program, your agency may or may not have controls currently in place to prevent, detect, and correct risks. In either case, controls will need to be added or updated to mitigate all of the identified non-acceptable risks.
Once controls have been identified to mitigate the risks, the compliance risk assessment delivers the recommendations to the compliance management program. The implementation of the controls falls into the compliance management program scope and therefore is not part of the compliance risk assessment. However, there is still one more critical step in the compliance risk assessment lifecycle.
Step 4: Monitor Compliance Changes and Reevaluate Regularly
Technically a single compliance risk assessment is completed in Steps 1 to 3. However, in reality, an agency is never “done” with compliance risk assessments. The process should be completed regularly to ensure an agency remains as protected as possible. Potential triggers for a compliance risk assessment may include:
- Time – For example, an agency may determine that a risk assessment should be completed annually.
- Organizational Changes – such as new services, locations, or industry involvement
- Regulatory Changes – Large updates to applicable compliance standards or rules may necessitate an additional compliance risk assessment.
How IPKeys helped a DoD Agency conduct a risk assessment
IPKeys collected information from multiple sensors (ingested into our CLaaS data analytics platform) throughout a DoD Agency at the system/network level using our tiered approach. Ultimately we were able to produce an enterprise view, enabling effective compliance management, and reporting. Our tiered approach to a DoD Agency’s Cyber Vulnerability Management (CVM) ensured effective continuous monitoring, compliance, and reporting that provides a comprehensive accounting for organizational and system security posture and compliance. Since our team is cross trained and collaborated daily on each of the covered systems within the compliance portfolio, we were able to maximize operational resiliency and capability to surge support for each system as necessary and to eliminate potential single points of failure. The shared knowledge was documented to make certain future staff or other stakeholders could gain an effective understanding of the security posture and status of each system. Tasks were documented in a task management software, such as Jira, Remedy or ServiceNow, which was then prioritized according to pre-established guidelines (highest risk items first, for example) and from Government direction and guidance as part of regular collaboration and coordination. We operated with full transparency and close collaboration with DoD Agency stakeholders, providing a Weekly Status Update Report on tasks, activities, and issues being worked.
Manage compliance and risk assessments with IPKeys
IPKeys offers a unified, AI-fueled RMF automation analytics and reporting platform known as IPKeys Cyber-Lab-as-a-Service (CLaaS). Utilizing IPKeys CLaaS will reduce your agency’s exposure to cybersecurity-related compliance risks while minimizing the effort required to conduct risk assessments.
Advanced Analytics
Cybersecurity generates an incredibly large amount of information that can easily become overwhelming to manage. IPKeys collects, organizes, and presents this information in a clear actionable way through well-organized dashboards.
Customizable alert thresholds
Cybersecurity events can move fast, and if you’re not actively monitoring threatsthreats, it can be easy to miss critical events. With IPKeys CLaaS, you can set optimal thresholds within your agency for effective monitoring and alerts.
More than just Reporting
Taking the right action on the information you have is the most important capability in a cybersecurity program. With IPKeys CLaaS, you can automatically generate action plans (e.g. POA&Ms) and calculate rough order of magnitude (ROM) impact to mitigate vulnerabilities.
For more information, visit: https://ipkeys.com/products/cybersecurity-analytics-platform