Onyx Point, Inc., a privately held company headquartered outside of Washington, DC, is focused on open source DevOps technologies, with a particular emphasis on IT security compliance automation. Therefore, when the nearby National Security Agency (NSA) contributed an internal R&D project with a focus on compliance automation, System Integrity Management Platform (SIMP), to the open source community, it made sense that Onyx Point receive the first Cooperative Research and Development Agreement (CRADA) from the NSA for SIMP Open Source Stewardship.
“The future of compliance automation is a problem for us all to tackle together,” stated Trevor Vaughan, co-founder and CIO of Onyx Point, Inc. Today, Vaughan is the technical lead of the SIMP open source project. He believes that the combination of infrastructure automation with well-defined security controls is the best recipe for success as core technology stacks continue to expand. As the project has progressed since its origin in 2009, it has graduated from a research project to a mature compliance automation framework that aligns with a host of National Institute of Standards(NIST) Special Publications, such as NIST SP 800-53, and related industry regulations (i.e. HIPAA, PCI-DSS, SOX, etc.). Likewise, the SIMP open source community has expanded to include members from inside and outside of government and from around the world.
As time has progressed, organizations began requesting DevOps related consulting services from the Onyx Point engineering team.
In the public sector, adherence to the NIST Special Publication security standards is the rule. In particular, practical system configuration in accordance with NIST’s Risk Management Framework (RMF) is promoted through the use of SIMP and complementary technologies. Additionally, the Onyx Point engineering team is encouraged to provide direct feedback to the regulatory governance bodies in order to promote changes that reflect the practical reality of operational system capabilities and requirements.
The future of compliance automation is a problem for us all to tackle together
Likewise, in the private sector, the same technologies and practices can be readily adjusted to meet a wide variety of industry regulations, including those prominent in the financial, insurance, and healthcare sectors. In both cases, Onyx Point promotes a collaborative, educated approach to the system as a whole, centered on team education and strong promotion of open standards.
Trevor and the Onyx Point engineering team have been encouraged by the interest in compliance they’ve encountered during most customer engagements. Still, Trevor notes that “As a general rule, when arriving at a customer site there is almost always a lack of workflow coordination and full stack automation across production systems.” One of Onyx Point’s primary goals is that they leave clients with a greatly increased understanding of how to break down and coordinate targeted system activities, how to automatically validate that their system is going to deploy correctly, and how to successfully navigate infrastructure as code at scale. Vaughan believes that “Customers should gain an understanding of how to apply internal and external policy requirements in a traceable, repeatable, and demonstrable manner.”