To Block or Not to Block an App?
The Federal Information Technology Acquisition Reform Act (FITARA) gives agencies more of an incentive to manage shadow IT; to do well on the federal IT scorecard, agency CIOs must be in charge of the entire IT portfolio with oversight on budgets and prioritizing needs, Nelson says. In the past, each NRC program office managed its own IT budget.
“We do have a transparent process,” he says. “We allow our different missions or programs to participate in parts of the governance, but in the end, I make the decisions on what investments we make.”
The NRC uses numerous security tools to detect and prevent shadow IT, including endpoint security software on desktop computers, says Michael Lidell, NRC’s senior IT specialist in the security operations branch. Network monitoring tools detect unauthorized devices on the network and automatically assign them to the guest network.
On the internet layer, the agency uses application-aware firewalls and web proxies so that they can monitor cloud usage, he says.
Lidell’s team discovers and removes shadow IT every week, but it’s not always a cut-and-dried decision, he says. For example, NRC uses one particular cloud file-sharing service, but he sees employees using different ones because they share files with external business partners that have standardized on other services. The use cases determined to be business-related are permitted to continue.
“We think we should block that, but when we look at it further, they are collaborating with other agency partners,” Lidell says.
The CIO office wants to work with users to meet their needs, so it encourages users to come forward with their technology requests, says Cris Brown, NRC’s deputy CISO and chief of cybersecurity oversight.
“We do have a process where people can say, ‘I have this business need,’ and what we do is triage it and determine whether we have an existing tool to meet that need, and we offer that up,” she says. “And if we don’t, we take a look at what would be a good solution for the enterprise, and we pursue that.”