This document discusses Kinney Group's Puppet compliance framework for automating STIG compliance and reporting. It notes that customers often implement compliance Puppet code poorly or lack appropriate Puppet knowledge. The framework aims to standardize compliance modules that are data-driven and customizable. It addresses challenges like conflicting modules and keeping compliance current after implementation. The framework generates automated STIG checklists and plans future integration with Puppet Enterprise and Splunk for continued compliance reporting. Kinney Group cites practical experience implementing the framework for various military and government customers.

1. © Kinney Group, Inc. 2021
© Kinney Group, Inc. 2021
Automating STIG
Compliance and Reporting
1
March 2021

2. © Kinney Group, Inc. 2021
• KGI has been developing automation solutions for Federal customers for
many years where STIG compliant systems are mandated
• There is not a consistent framework for implementing compliance-based
Puppet code
• Most customers implement it poorly or are not equipped with the appropriate
knowledge on Puppet best practices
• Ongoing maintenance of compliance code is time consuming for most
customers
• Having a 3rd party develop and maintain compliance remediation content
reduces risk for when Puppet expertise moves on
2
Identifying a need for a Puppet compliance-as-code standard
Why this Framework was Developed

3. © Kinney Group, Inc. 2021
• Puppet modules must be well documented
• Centralize code in purpose-built modules that can be quickly implemented
• Enforcement can be toggled on/off at the vulnerability level
• Leverage PuppetDB to store supporting compliance data
• Compliance modules must be data driven to allow customizable behavior
• Should not preclude the management of non-compliance system components
3
Standardization of Compliance Based Puppet Code
Lessons that shaped the KGI Framework

4. © Kinney Group, Inc. 2021
• One module to manage all STIG vulnerabilities can conflict with existing
Puppet modules
• Customers don’t want to pay for development of remediation content, they
want to pay us to integrate and implement
• Integrating STIG modules efficiently requires some knowledge and expertise
• Customers struggle to keep compliance modules current after we leave (and
resort back to manual bad habits)
4
Challenges we’ve encountered over the years
Typical Challenges

5. © Kinney Group, Inc. 2021
• Automated STIG Checklist Generator using PuppetDB
• Future: Plans and Tasks for PE integration
• Future: Splunk Compliance App using PuppetDB
5
Additional Benefits/Capabilities

6. © Kinney Group, Inc. 2021
• U.S. Army – INSCOM
• US Air Force – AFRL and STRATCOM
• US Marine Corps – Technical Services Organization
• Indiana Army National Guard – Indiana Intelligence Center
• State of Indiana – Indiana Office of Technology
6
Practical Implementation Experience

7. © Kinney Group, Inc. 2021
© Kinney Group, Inc. 2021 7