Government institutions are seeing digital transformation at an unprecedented scale, but those changes come at the price of ever-evolving security risks.
Agencies regularly undergo massive efforts to keep pace with the available commercial tools and operational changes to gain increased effectiveness while reducing costs and making more informed decisions.
The Federal Risk and Authorization Management Program, and the high availability of cloud services that offer increased value, have led to the creation of a different modus operandi.
The adoption of cloud computing and the Internet of Things have disrupted the idea of defense-in-depth and perimeter security. To stop attackers from siphoning data and assets, or inserting falsified or misperceived information, agencies must closely monitor all facets surrounding connection points.
Cloud, IoT Force a Rethinking
The Einstein program and the Department of Homeland Security's Trusted Internet Connections Reference Architecture will reduce direct attacks, but agencies still need to protect against indirect or third-party attacks.
From a governance perspective, the first level of focus must be ongoing risk assessments and regular reviews of security agreements with partners and suppliers, along with ensuring compliance with documented policies.
As the Internet of Things and cloud computing drive a more dynamic and interconnected technology environment, agencies must go beyond the traditional frameworks, such as the Federal Information Security Management Act (FISMA), which doesn’t tackle the security requirements necessary for these technology environments.
Newer technologies, such as cloud computing and IoT, along with programs such as bring-your-own-device, have led to siloed account management practices. These overlook factors such as connected personal devices, unknown social media usage and sensor reporting.
Government leaders need to outline new processes for authorizing digital identities for individuals or devices across different platforms so partner agencies can better understand access in the context of each user and technology.
The government has redefined how it protects controlled, but unclassified information (CUI) from the federal contractor community. Effectively managing CUI and ensuring compliance requires some of the preplanning and process changes already discussed above.
New aspects of reviewing and continuously improving training and awareness, risk assessments, auditing and accountability, and incident response communications need to become standard contractual requirements. For many agencies, that will require further research and an understanding of how the basic requirements were derived.
A Changing Environment
The first step in tackling CUI compliance is to prioritize relevant risks. Agencies can’t take an all or nothing mentality. Compliance isn’t security, and security isn’t compliance. Rather than claiming one or the other, government cybersecurity leaders should use the NIST and FISMA guidelines, and then align specific security controls based on risks.
Many governance, risk and compliance tools focus on mitigating reported risks instead of tackling them in real time. In-the-trench risks will be what IT leaders see exclusively from now on.
To protect CUI, agencies and federal contractors will need to build out a prioritized plan of action. It’s obvious but not simple that collaboration is necessary to improve security and establish more effective governance. n