The Commerce Department wants to migrate three main cybersecurity programs to the cloud so that those security components can be run more efficiently.
The agency last month issued a request for information to industry on how it can best go about doing so. According to the RFI, the department wants to allow its CIO office to more easily get access and make changes to its cybersecurity monitoring environment.
Specifically, Commerce wants to move the applications and capabilities of its Enterprise Security Operations Center (ESOC), Enterprise Cybersecurity Monitoring and Operations (ECMO) and parts of its Continuous Diagnostic and Mitigation (CDM) program to the cloud. The environment will need be a high impact level from a cloud service provider approved by the General Services Administration’s Federal Risk and Authorization Management Program.
Gaining Flexibility to Manage Cybersecurity
ESOC is the principal security operations center for the agency, and it’s responsible for coordinating communication with the Department of Homeland Security, the U.S. Computer Emergency Readiness Team, the Office of Management and Budget and other agencies. ECMO fulfills an OMB requirement to continuously monitor security-related information from across the agency.
Currently, the programs are hosted in data centers and overseen by staff at two separate locations run by department components — ESOC at a National Oceanic and Atmospheric Administration facility in Fairmont, W.Va., and ECMO at a National Institute of Standards and Technology location in Germantown, Md.
However, because those facilities are focused on the responsibilities and priorities of NOAA and NIST, “they are not solely dedicated to responding to” the Commerce Department’s modifications, and agency staff cannot get access to make those changes, according to the RFI.
“This has resulted in delays in configuration requests and in implementing new functionality,” the RFI notes. “Additionally, bandwidth adequacy and scalability has impacted the ESOC’s capacity to quickly and efficiently analyze transmitted log data.”
CDM gives agencies capabilities and tools that provide network administrators with real-time information about the state of their networks in order to describe the relative risk of specific cybersecurity threats and make it possible for agencies to rapidly identify and mitigate vulnerabilities. Currently, the CDM program is funded by DHS, which manages CDM for the government. However, the RFI notes, Commerce is required to begin funding components of the CDM program in 2018 “and is considering migrating at least some of its storage and computing requirements to the cloud.”
Migrating ESOC, ECMO and some parts of its CDM toolsets will allow Commerce to improve its access and ability to make timely changes to its cybersecurity monitoring environment. “The cloud hosting environment would have the flexibility to easily scale in order to accommodate additional functionality and data log feeds as needed, and would offer a transparent pricing model to make costs predictable,” the RFI adds.
What Will a Cloud-Based Cybersecurity Environment Provide?
Commerce has some specific ideas in mind for what it wants a cloud provider to bring to the table by hosting its cybersecurity, according to the RFI.
The winning contractor will analyze the agency’s current hosting environments to determine the operating requirements of its current cybersecurity operations infrastructure. The winner will also recommend a cloud hosting architecture, considering the agency’s current and future cybersecurity operations capabilities.
Additionally, the cloud provider will, in consultation with the agency, develop a project plan and oversee the migration of Commerce’s cybersecurity applications and operations to the federal cloud.
Further, the cloud provider will “perform all necessary system security assessment and authorization activities” in accordance with the Federal Information Security Modernization Act of 2014, NIST Special Publications, the department’s Information Technology Security Program Policy, Commerce Information Technology Requirements and departmental policy memos.
To meet other security requirements, the cloud provider will need to collect all information required to conduct a supply chain risk assessment, provide ongoing maintenance and administration of the cloud hosting service, and help the agency develop a service-level agreement and appropriate metrics for cloud hosting availability, operations management and cost efficiency.