FedRAMP Guidelines Will Decrease Cost, Spur Cloud Migration, Federal CIOs Say
Information technology automation and cloud migration may help reduce agency costs but security standards aren’t uniform and federal cybersecurity guidelines are urgently needed, officials said Tuesday at a cybersecurity conference sponsored by Billington Cybersecurity. Leaders from the departments of Defense and Commerce and the U.S. Nuclear Regulatory Commission said the pending release of Federal Risk and Authorization Management Program (FedRAMP) guidelines will help propel their agencies’ technological capabilities. But private sector entities said the government needs to take a more active lead on national cybersecurity efforts in the meantime.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
FedRAMP is “essential” to DOD’s migration to the cloud, said Richard Hale, chief information assurance executive and deputy CIO at the Department of Defense. “We need automation, data standards, situational awareness and a standard one-time inspection regime,” Hale said. FedRAMP aims to establish security certification and standards for cloud computing services and products so government agencies can quickly adopt and integrate authorized solutions. But Hale admitted there are some DOD missions which will never be appropriate for the federal cloud. For those operations “the risk is too great,” he said.
Defense has five major cybersecurity objectives, said Hale. First the department must ensure that it can execute missions “in the face of cyberwarfare from a capable adversary.” Second, the department must be able to establish information sharing relationships very quickly in new environments. Third, mission commanders must determine what risks they're willing to take without those risks spilling over to other areas of the department. Fourth, Defense must maintain the ability to keep and preserve secrets, and finally, its IT solutions must be agile.
When the administration’s final FedRAMP requirements are published and firmly established “it will lubricate the wheels that are already in motion,” said Simon Szykman, CIO at the Department of Commerce. Though the federally-mandated push to cloud migration was helpful, “there are enough advantages that it’s a trend that would continue to happen anyways,” he said. Several bureaus in the Commerce Department are using cloud services; the Census Bureau has a private cloud-based infrastructure, and the National Oceanic and Atmospheric Administration (NOAA) has adopted cloud-based email and messaging services, Szykman said.
The U.S. Nuclear Regulatory Commission primarily uses cloud technologies for its software as a service (SaaS) capabilities, such as meeting coordination, travel coordination and emergency notifications, said Patrick Howard, the agency’s chief information security officer. But “we have hesitation about going beyond that with more critical, sensitive data,” Howard said. “FedRAMP can solve that, but we need that proof.”
Federal adoption of consumer mobile devices like iPhones and iPads could be very beneficial to all federal agencies, but security hurdles remain, officials said. “We see tremendous potential in all areas of government,” said Hale. But mobile authentication standards are lacking and DOD is still working to fill the security gaps that remain. “We are learning our way through this. There is a lot in play right now,” Hale said.
The Department of Commerce is still assessing the capabilities of mobile devices, Szykman said. “We are at the information gathering and learning stage. Department-wide any mobile device is being looked at.” It would be helpful if Nuclear Regulatory Commission employees could photograph and send pictures of malfunctioning hardware to their administrators, said Howard, but “it could be a sensitive image and we don’t know how to protect that.”
Private Sector Cybersecurity Needs Federal Leadership
There is arguably a bigger need for cybersecurity standards and guidance in the private sector, which possesses upwards of 85 percent of the nation’s critical infrastructure, experts said in a separate panel. Though ultimately it’s the responsibility of owners and operators of critical infrastructure to ensure their cybersecurity, “the government needs to lead by example,” said Cheri McGuire, vice president-global and government affairs at Symantec. Some federal agencies have tremendous experience in the cybersecurity realm and it’s important that they share this information with private sector entities, she said.
Basic hurdles remain to private sector cyberawareness such as attribution of cyberthreats, McGuire said. “We have to be able to get confidence that we understand and address those threats and cut them off at the knees.” Furthermore, Congress needs to equip law enforcement agencies with better tools to take action against threat vectors once they're identified, McGuire said.
The cybersecurity community hasn’t focused enough on the advanced persistent threats, said Dale Meyerrose, vice president and general manager at Harris Corp. and a retired U.S. Air Force major general. “The criminals and the bad guys have all figured out that the network, and the system, and the data are more valuable than shutting it down,” Meyerrose said. “But I've not seen the public discourse about this area change with regard to the changing threat.” Meyerrose even suggested a Hoover Commission-like reorganization of government agencies to comprehensively address the cybersecurity threat. “Cyber is an instrument that permeates so much of what we say and do,” he said.
The government should increase its oversight over private sector cybersecurity because companies aren’t taking the threat seriously enough, said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. “Voluntary activities might not be enough,” he said. “Just as we have the [Federal Aviation Administration] for the airlines we might need a broader federal oversight role for cyberspace. Unless you tell people they must get secure to some national cybersecurity standards it won’t happen,” Lewis said.