One of the greatest challenges to security compliance are exception cases. What are exception cases? They are the cases in which a particular compliance objective cannot be achieved, as required. The reasons are myriad: cost, environmental constraints, vendor dependency, and technical limitations. Building an exception case is key to achieving compliance objectives, such as an authorization to operate. The pre-requisite to exception cases is transparency. An organization must transparently articulate the need for an exception. Understanding exceptions is important for fully understanding the risk present within an environment or system.

Today’s guest is John Santore, Director of the FedRAMP Capability at Kratos. John and I dive deep into the specifics of the exception cases, including justification, compensating controls, and fallback plans, and the important role each plays in determining the viability and permissibility of exceptions. Using exception cases as a launching point, we also discuss the need to move beyond compliance as an exercise and toward maturity built into cybersecurity practices. Finally, we veer left a bit for a discussion on the recently-released DoD FedRAMP Equivalency Memo.