Ever-growing threats necessitate scrupulous cybersecurity across government.
Recognizing this truth, the White House appointed the first federal CISO in September as part of its Cybersecurity National Action Plan. The administration also set goals to improve IT governance models, specifically to ensure feds maintain cybersecurity practices as part of all IT development work.
Individual agencies, such as the Commerce Department, have similar aims to reboot their governance procedures.
“We are now moving toward a more automated approach that allows not only for a more real-time assessment, but also provides us with indicators of a bureau’s future ability to address cybersecurity vulnerabilities,” Commerce CISO Rod Turk explains. “Our efforts are designed to move toward a service-oriented process and away from a strict compliance or ‘gotcha’ mentality.”
The push comes after Commerce’s Office of Cyber Security reviewed the department’s compliance and assurance procedures and deemed them antiquated.
After all, IT governance approaches that are both out of date and out of touch with today’s technologies can create major challenges for federal agencies, particularly when it comes to the cloud.
Balancing Benefits of Cloud with Compliance
As the private sector has proved, cloud computing has the power to transform workflows.
A 2015 MeriTalk report found that federal IT decision-makers have grown increasingly optimistic about what the cloud can do for their agencies in the next five years; they cite cost savings and flexibility gains as their top two motivations for making the switch.
Alex Rossino, senior principal research analyst at Deltek’s GovWin, says cloud computing can also make government agencies more agile but warns that unsanctioned use creates difficulties for IT.
Increased vulnerability stands as a top concern for all agencies, although responses to the problem vary.
“What the Department of Defense is finding is that it’s better to build applications for the cloud from the ground up rather than lift current apps and shift them into the cloud,” Rossino says. “This approach eliminates the need to deal with shadow IT.”
At the Commerce Department, Turk and his team have chosen to address the issue another way: by bringing shadow applications into the light.
“We are assessing cloud-based tools to provide our bureau customers with an assessment service that could be used to authorize those tools for bureau use,” he says. “Our current portfolio includes five such assessments.”
Evaluating Cloud Risks
Choosing the right tools requires more than just thinking about security. Turk recommends that, when selecting a cloud-based service, CISOs “size the issue” by creating a case-by-case governance strategy.
“It should be a risk-based decision on individual cloud instances, taking a look at what those risks might be,” he says. “Frankly, you also have to consider the functional requirements of the bureaus and agencies that want to invest in the cloud tools.”
In the end — at least in the federal world, Turk says — the responsibility for the security and compliance of each cloud instance belongs to the individual who signs the authority to operate.
“You have to be comfortable with the risks presented and come to an agreement of whether a cloud-based tool is a risk that’s acceptable,” he says.