Skip to main content
SHARE
Research Highlight

CSAT Researchers Design New Compliance Tool

CSAT Researchers Design New Compliance Tool CSMD Computer Science and Mathematics Division ORNL

Achievement
In June 2022, Chemical Security Assessment Tool (CSAT) Primary Systems Team members implemented the new STIG Compliance Tool (SCT) the team designed to automate—by documenting and continuously monitoring—Oracle database compliance with the Security Technical Implementation Guide (STIG) standards. 

The SCT provides the following features:

  • Continuous monitoring to detect baseline STIG changes.
  • Reduced database administrator and cybersecurity compliance officer labor.
  • Transparency across different functional areas (e.g., system, application, and security).
  • Consistent application of STIG requirements across multiple platforms and systems.
  • Decreased burden of artifact production during system certification (e.g., Authority to Operate and re-certification).
  • On-demand STIG checklist generation.

CSAT Data Engineers Todd Thomas and Steve Ping and Software Engineer Pia Mutia further enhanced the system utility by adding automated metadata population for individual systems, creating a configuration table for database attributes, and increasing the number of automated STIG rule checks. Front-end usability is being developed to further enhance tool capabilities.
The STIG rules, supplied by the US Department of Defense for government enclaves, are used as compliance standards to combat the increased capabilities of bad actors attempting to gain access to sensitive information or disrupt critical systems.
CSAT is an essential element in US Department of Homeland Security implementation of the Chemical Facility Anti-Terrorism Standards, helping protect the nation's critical infrastructure in the chemical sector from acts of terrorism.

Sponsor:
U.S. Department of Homeland Security (DHS)

Facilities:
Center for Infrastructure Security Analysis (CISA)

Organization:
Center for Infrastructure Security Analysis (CISA)