The federal government is responsible for numerous agencies, so unifying cybersecurity best practices and standards across them keeps the entire enterprise in lockstep together.
Cybersecurity standards that are good enough for the federal government can prove equally beneficial to its state and local counterparts, however, while keeping all three on the same page nationwide.
Frameworks adopted by the federal government provide it with privacy, security and transparency benchmarks that easily translate to the state and local level.
“Security should be at the front and center,” Mukundan Srinivasan, Virginia Department of Medical Assistance Services (DMAS) CIO, said during a July 26 GovLoop online training. “You typically only see the security issues at the end before they go live.”
Srinivasan’s role as DMAS’s CIO means he has been a major player in the agency’s efforts to craft Virginia’s new Medicaid IT modernization effort.
Federal cybersecurity standards have helped DMAS meet its data protection and transparency needs by giving it watermarks to aim for.
“As a $12 billion annual budget agency, we are under audit from various entities all the time,” he said, providing an example of useful standards. “We wanted to make sure everything is auditable and traceable.”
Shawn Wells, Red Hat’s Chief Security Strategist, U.S. Public Sector, said standards can help agencies share best practices for deploying new applications faster without sacrificing cybersecurity.
“Delivering an app into production was an incredibly non-trivial task,” he said, recounting an anecdote about the Army. “This resulted in the Army doing larger deployments with more features.”
“These painful deployment processes not only led to poor delivery services but an avoidance of pain by deploying as often as possible,” Wells added. “This risked more things going wrong which results in even more pain and the cycle continues.”
Wells said the federal government used several cybersecurity standards so that its various agencies were speaking the same language on threats and prevention.
“Everybody recognizes it that cyber events are happening,” he said. “Regardless, not every agency can stand up a cybersecurity operation and staff it. These are often multi-million-dollar efforts.”
Wells said that standards like the Trusted Automated Exchange of Intelligence Information (TAXII) gave agencies a common response to cybersecurity dangers.
TAXII’s website describes the program as “an application layer protocol for the communication of cyber threat information in a simple and scalable manner.”
“I would say that one of the movements we’re capturing is to do in common what is commonly done,” Wells said of standards overall.
“There are ways to gain proficiencies in procurement,” he continued. “There’s ways to accelerate the deployment of applications.”
Srinivasan said that standards also help agencies express their needs to vendors, saving both parties valuable negotiating time.
“Even the medium companies, the small companies can meet the security standards,” he said. “If they cannot meet it, what can they do in lieu of it to protect our needs?”
“That saves a lot of headaches and battles down the line,” Srinivasan said of “elephant in the room” conversations early in the procurement process. “Making a standard made it easier.”