About

An AI data management company faced critical penalties if they didn’t achieve FedRAMP which required FIPS 140-2 compliance visibility within a month, with a very short window for remediation afterward. Failure to meet this deadline had the potential to put millions of dollars at stake for the AI data management company.

For every one of their software services, for go, python, node.js, and java, the AI data management company had to be able to prove FedRAMP compliance for criteria such as:  

- Cryptographic libraries compliant with FIPS 140-2  

- Multiple Dockerfile compliance checks  

- CVE warnings and failures identified and resolved

Here's how Harness IDP stepped in to help

Scorecard Visibility and Prioritization

The AI data management company used Harness IDP's catalog to gain visibility into their services and their compliance status. The scorecard visualizations highlighted problem areas, which helped the teams prioritize their efforts. The lead at the AI data management company was using the admin report to monitor scorecards weekly to identify and resolve violations.  

Tackling FIPS 140-2 Compliance Violations Cost-Effectively

Harness IDP enabled the AI data management company to quickly assess whether to remediate FIPS violations themselves or invest in compliant base images through ChainGuard. Faced with the prospect of extensive work patching base images for multiple languages (Python, Node.js, etc.), for images that had too many FIPS violations for them to fix themselves they opted to purchase ChainGuard images that guaranteed compliance. Harness IDP made it clear where they had too many violations to patch and needed to spend the money to purchase images.  

Cost-justification & Validation

These images cost $35k per image per year. The AI data management company faced spending a lot for FIPS compliance through ChainGuard. By using Harness IDP, they could justify these expenses and validate that they were receiving updates from ChainGuard.  

Continuous Monitoring for Proactive FIPS 140-2 Compliance

Harness IDP continuously monitors for compliance. THe AI data management company plans to proactively block any FIPS violations during the development cycle. New services are onboarded into IDP and automatically monitored.  

Streamlining Multi-Language Software Compliance with Harness IDP

Ultimately, Harness IDP made it possible for the AI data management company to achieve FIPS compliance within the tight timeframe, something they believed would have been impossible otherwise. The platform provided the necessary visibility, prioritization, and continuous monitoring to meet the stringent requirements and avert significant financial risk.

Next Steps

Next steps are to use OPA to block non-compliant deployments. Initial detractors are becoming champions of Harness IDP and other teams are now interested in using workflows after seeing its value.