IT security teams, particularly those focused on compliance, often find themselves caught in a cycle of drama. The more convoluted and obscure the processes become, the louder the applause seems to get. Every few years, someone emerges with a bold rallying cry, urging the industry to “burn it all down and start fresh.”
However, let us be clear: simply dismantling the existing system does not solve the underlying issues. The true problem lies not with any specific framework but with the lackluster assessments we burden our best people with. These assessments often consume weeks, cost significant resources, and yield outdated, unreadable reports.
The real antagonist here is the mountain of irrelevant documentation disguised as valuable insight. We are often left with screenshots that expire the moment they are printed or “evidence packages” that are outdated before they even make it to the auditor's desk. It feels like we are trapped in a Shakespearean tragedy where the props are fake, the dialogue is stale, and applause continues while the real issues smolder in the background.
Traditional assessments tend to repeat the same old scripts: lengthy narrative “implementation statements” produced by those not involved in engineering, highly skilled engineers reduced to mere clerks for screenshots, and ultimately, a collection of documents sent to auditors with fingers crossed that no one notices the outdated evidence. Passing an audit in January tells you nothing significant about your security posture in March.
The General Services Administration (GSA) sought to break this cycle with the FedRAMP 20x pilot, an initiative aimed at bringing compliance into the modern age. The goals of this pilot included:
- Automating checks to relieve teams from the exhausting chase for artifacts.
- Reusing effective commercial practices instead of reinventing the wheel within government.
- Shifting from static snapshots to continuous, data-driven proof of compliance.
- Establishing direct trust between agencies and providers, eliminating the need for a middleman.
- Preventing innovation from being stifled just to meet audit schedules.
The industry should not merely nod in agreement; it should actively engage. It is time to discard the outdated scripts and embrace a new paradigm: real-time, query-driven compliance.
The Problem: Reliance on Screenshots
The conventional approach to “evidence” is often performative. Auditors provide generic checklists, prompting system owners to scramble for artifacts like policy PDFs, console exports, and the ever-popular screenshot. An engineer must pause their real work, configure the ideal view, capture what they call “Figure 12.1 MFA Enabled,” and repeat this tedious task countless times.
This process is slow, prone to errors, and drains valuable time from service teams, creating a false sense of security. In an environment where infrastructure can change by the hour, relying on screenshots for compliance is akin to checking a MySpace profile to gauge social relevance. It may technically exist, but in practice, it is just as outdated as the day it was created.
A New Model: Trust the Query
With the 20x initiative as a catalyst, security teams can reinvent their approach. Instead of crafting elaborate narratives about “disks encrypted with customer-managed keys,” they can query the platform directly: “List every disk and its encryption status.” The system provides immediate, unbiased answers. Here’s the framework at a glance:
- Query layer: Transform cloud and SaaS APIs into tables for direct querying. Need to find out which Okta users lack MFA? Just query it. Curious about which repositories lack branch protections? Query it. Want to know which buckets are public? Query it.
- Orchestration layer: Define controls as code and execute them in bulk. Each control acts as a check, and a collection of checks forms a benchmark.
By integrating these layers, FedRAMP’s Key Security Indicators (KSIs) can become actionable. Instead of a binder filled with screenshots, auditors can be presented with a dashboard featuring live, drill-down results. Imagine being an assessor receiving structured, useful data rather than a cumbersome PDF document.
How It Works: Compliance as Code
In this new approach, every control becomes a declarative rule accompanied by a query.
- Old way: “We use customer-managed keys.” (Possibly.)
- New way: A real-time query checks every disk. If any are not CMK-encrypted, the control fails. Engineers then decide if the situation is intentional; if not, they correct it. Simple as that.
Since controls are maintained in source control, they are versioned, peer-reviewed, and repeatable. When requirements shift, updating the query and rerunning it is all it takes. This model extends far beyond cloud configurations; any service with an API can evolve into a living Configuration Management Database (CMDB) that can be interrogated on demand.
From Paperwork to Continuous Trust
FedRAMP 20x offers a preview of the inevitable future of compliance. Current practices, heavily reliant on paperwork, struggle to keep pace with emerging threats and can even undermine security by diverting resources toward mere performance instead of genuine protection.
Compliance is increasingly becoming a data discipline characterized by continuous checks, automated validation, and evidence derived from the actual operational state of the system. This approach is applicable beyond FedRAMP. Any framework, whether governmental or commercial, that requires proof of implementation can benefit from this method. Controls transform into queries, and queries evolve into ongoing evidence. Auditors become validators of automation, rather than merely chasing artifacts.
The core message is clear: compliance should not be a theatrical performance; it should be an engineering discipline. A query-driven model enables continuous compliance, delivering results faster, more cost-effectively, and with greater trust. The future is poised to be query-driven, automated, and continuous. It is time to stop romanticizing outdated tragedies and focus on producing a system that genuinely protects our assets.
