Select Page

Contact Us

Get in Touch

Contact us for a free 30 minute consultation. We are in the Washington DC metro area and available virtually to all other geographies. International business welcome!

571-406-4732

service@rufrisk.com

Dulles, VA

Ruf Risk on LinkedIn

What services are you interested in?

7 + 12 =

Want a 10% Comission?

Connect Ruf Risk with new business and receive a 10% commission on the first six months of revenue.  

 

MAKE A REFERRAL

Frequently Asked Questions

What is Continuous Authorization to Operate (cATO), Continuous Authorization, Continuous Assessment, or Continuous Compliance?

These are similar terms with nuanced differences in meaning. What they have in common is the use of automation to continuously monitor a system with the goal of detecting any changes that would bring the system out of compliance.

Achieving this requires a holistic approach to documenting the system’s security controls accurately and managing the system’s configuration through configuration management and predictable deployment mechanisms. Most organizations need to take an incremental approach to achieve this goal.

If you would like a fixed-price analysis and recommendations, contact us for a free 30-minute consultation and quote.

Where is the best place to start with cybersecurity automation?

While the answer varies by organization, generally the best first step is to determine where the most friction exists in your current processes and identify which of those will most benefit from process improvement activities. FedRAMP-authorized systems often benefit from improvements to monthly Continuous Monitoring (ConMon) activities.

If you would like to discuss your cybersecurity goals and pain points, contact us for a free 30 minute consultation.

 

What is OSCAL and why is it important?

The Open Security Controls Assessment Language (OSCAL) was developed by the National Institute of Science and Technology (NIST) in cooperation with FedRAMP. OSCAL is an information exchange format designed to communicate control definitions, system implementations, assessment results and continuous monitoring of certification frameworks such as:

  • American Institute of Certified Public Accountants (AICPA) Systems and Organization Controls 2 (SOC 2)
  • US Federal Information System Modernization Act (FISMA) NIST SP 800-53 and Authorization to Operate (ATO) process
  • Cloud Security Alliance (CSA) Security, Trust Assurance and Risk (STAR)

OSCAL is public domain and intended to allow tools from different vendors and stakeholders to interoperate. While there have been other efforts to provide machine-readable capabilities for this goal, OSCAL stands out in several important ways:

  • OSCAL is designed with the entire lifecycle and all stakeholders in mind, where as prior solutions were focused on a portion of the lifecycle.
  • OSCAL is more granular and flexible, allowing organizations to determine the level of granularity appropriate for their needs, and move to greater granularity over time.
  • OSCAL is a formal standard from a recognized standards body.

If you would like to learn more about whether OSCAL is the right choice for your organization, contact us for a free 30 minute consultation.