Cloud Engineering
Communications & Media

NIST 800-171: Automated Compliance

Trility’s client needed to meet NIST 800-171 requirements for key government contracts. Our team helped research and implement Aqua Security’s tfsec, a static analysis security scanner for Terraform Infrastructure as Code (IaC). The solution identifies non-compliance and integrates with a third-party solution to remediate issues prior to deploying to production.

Problem Statement

To meet requirements for government contracts, this client needed to implement NIST 800-171 across specific AWS accounts. The client set a deadline to achieve 95% compliance with a third-party security scanning and auto-remediation tool. Trility previously helped this client build a custom tiered solution that managed accounts based security levels and this effort would add 200 more controls.

Solution Approach

The Trility team worked with the client’s architectural team to research compliance tools, develop and demo a Proof of Concept, and select and implement Aqua Security’s tfsec. This static analysis security scanner tool identifies non-compliant code in Terraform prior to deployment in the pipeline and provides developers with an opportunity to resolve the issue before it reaches production. 

During the implementation of tfsec, Trility ensured more than 200 NIST policies from the client’s AWS governance achieved coverage through tfsec via AquaSecurity defsec. Once the tfsec compliance gate pipeline was implemented, Trility focused on remediating the High and Medium alerts and provided recommendations to avoid new alerts to maintain a “Stay Well” state.

During this project, the Trility team also contributed to Aqua Security’s defsec community, an open source tool.

Outcomes

The client met government requirements for NIST 800-171 across the specific AWS accounts by identifying non-compliance prior to deployment. Trility provided test procedures to the client that validated and provided evidence that controls are in use. Trility also provided knowledge transfer sessions to execute operational hand-off to stakeholders.

Remediation of key aspects was also performed and included: Alerts focused on EC2s, AWS S3 buckets, IAM alerts, Security Groups, network resources, and High and Medium policy alerts in the path to production accounts. The team also completed remediation for Gitlab and Artifactory in the path to production accounts. 

Additional deliverables included:

  • Building a tfsec installation module for availability, ease of use, and adoption of developers 

  • Supported compliance by adjusting Terraform code through paired programming

  • Deployed KenGen services that prevents the creation of any new IAM related alerts

Project Attributes

  • Reduced COO
  • Reduced Risk
  • Increased Automation
  • Increased Security
  • Verifiable Compliance
  • Documentation

Technologies Used

  • Terraform
  • Aqua Security tfsec
  • Prisma
  • KeyGen