Cybersecurity has become about much more than keeping the antivirus on our computers up to date or grumbling through an annual security awareness training.
For government agencies in particular cybersecurity includes securing data stored on-premise and in the cloud, responding to security incidents and keeping privacy concerns top of mind.
Speaking at an Aug. 23 GovLoop event focused on what’s on fire in government cybersecurity, experts from the the Department of Health and Human Services and the Federal Risk and Authorization Management Program (FedRAMP) shared insights on how they are tackling these and other security challenges at their respective organizations.
As a quick refresher, FedRAMP is a governmentwide program that provides a standard approach to securing cloud products and services in government. The program, which is housed within the General Services Administration, launched in June 2012. Since then there have been several advancements, including the roll out of FedRAMP Accelerated, a faster process for authorizing cloud services for government use through a joint board of federal CIOs, also know as the Joint Authorization Board (JAB).
A process that used to take up to 18 months for some companies should ideally take three to six months, said Claudio Belloli, FedRAMP’s Program Manager for Cybersecurity. “I think we are there,” he said.
The program office is currently working with Microsoft to go through that accelerated process, which Belloli expects will be completed by September. For the other vendors using the accelerated route, they could be done as soon as this fall.
The biggest stumbling block for agencies when it comes to using provisional ATOs (or authority to operate) through FedRAMP is lack of awareness, Belloli said. The level of awareness about FedRAMP and the ability to reuse ATOs varies among agencies. “The point is to save government money by not doing duplicative assessments,” he added.
At HHS, Logan O’Shaughnessy, the department’s Lead for Privacy Incident Management and Response, is focused on the intersection of privacy and security. His department piloted the privacy risk management framework developed by the National Institute of Standards and Technology.
“NIST has been at the forefront of cyber controls and publications,” O’Shaughnessy said. “In conversations, one thing NIST realized was we need to start looking at the privacy piece if we’re going to create a holistic view of cybersecurity.”
He praised the framework for helping to bridge the gap between privacy and security teams by developing a standard language for developing information systems.
The challenge is sometimes security and privacy teams talk past each other, O’Shaughnessy explained. On the surface, security and privacy controls may not fit well together, but there may be ways around that roadblock. For example, your agency may create a control that requires data that has not been touched in several years to be removed from the system. This fits well with data minimization efforts.
As agencies work to harmonize work around security and privacy, they must consider what data they are collecting, whether it’s necessary to collect the data and what disposal procedures they have in place once data is no longer needed.
Belloli’s advice: Agencies must understand the risks posed to every system and data processing and apply the right level of security controls.