Dan Burns remembers asking one of the top engineers at Splunk several years ago about the idea of compliance, knowing full well most engineers’ reputation of not loving the concepts or the people who oversee the requirements.

Burns, compliance senior manager for global technical interlock at Splunk, said it’s easy to understand why there is an uneasiness between the two camps.

“One of the things I took away from him when I asked him, ‘Hey, do you think FedRAMP has actually helped us in terms of delivering a secure solution to customers?’ He’s like, ‘I think it’s really helped the whole company to be honest. We’ve been able to strategize better. We’ve been able to document better. We have a better documented process for how we deliver these solutions, and so we have a repeatable process too,’ ” Burns said during Federal News Network’s Risk & Compliance Exchange 2024.

“No one’s going to stay at your company forever and when you have someone leave, that’s sometimes the biggest issue for some customers — and defense industrial base members as well too. You need to figure out how to make sure these controls that you need in place whether for the Cybersecurity Maturity Model Certification or FedRAMP are based on repeatable processes so that people who come in can make sure that you maintain that compliance. Documentation is the key to that, making sure you have run books, making sure you address all of your controls, whether it be in policies and procedures — however you may do it.”

Those repeatable and standardized processes, and the related documentation, underlie how organizations achieve success no matter the regulatory framework.

Scoping, documentation provide confidence

Whether it’s the cloud security program known as FedRAMP, CMMC or the National Institute of Standards and Technology Special Publication 800-171, government contractors can’t look at these at being one-and-done or set-it-and-forget-it projects.

Burns said all of these compliance regimes must be continuously monitored and updated to address emerging threats.

“There is supposed to be improvement on those processes over time,” he said, adding that to ensure that requires both smart scoping and good documentation.

“They really go hand-in-hand, is scoping. Scoping is so important for our customers,” Burns said. “It’s understanding where your data flows and how that’s managed, and also what services are responsible for managing that data. Your scope doesn’t just include where your data is stored and processed. It includes items that are fulfilling your CMMC requirements, that are administering to that environment, that is holding that CMMC data as well too.”

Together, scoping and documentation establish the foundation for putting a repeatable process in place — something that Burns acknowledged that he himself had struggled with as an advisor.

But a repeatable process gives federal and private sector customers confidence that they are protecting their data and systems.

He said the growing acceptance of the use of cloud services that are certified FedRAMP High is an example of this happening across government.

“Over time, what was realized was, ‘Hey, this is a really successful program. I’m really liking how we’re able to see our plans of actions and milestones from our various vendors, the cloud service providers and really be able to make a risk-based determination in terms of, should I be able to use this product or not? Or maybe I will wait for them to remediate certain things first,’ ” Burns said. “It helps set a bar in terms of comparing yourself to other vendors as well. That’s been a very much welcome trend in terms of government being more at ease with using, storing and processing data at the high impact level in a cloud environment.”

Discover more articles and videos now on Federal News Network’s Risk & Compliance Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.