As agencies move to the cloud and secure their data there, meeting the new challenges with innovative solutions is a great opportunity – as long as agencies abide by existing security baselines, said Federal IT leaders during MeriTalk’s Cybersecurity Brainstorm.
Andre Mendes, CIO at the International Trade Administration Bureau (ITA) within the Commerce Department, noted that ITA is 100 percent in the cloud, which comes with security benefits.
“We found that in terms of overall security profile, being 100 percent in the cloud has substantially lowered our risks for the difficult breach you expect,” said Mendes.
Oki Mek, CTO for acquisition at the Department of Health and Human Services (HHS), noted the benefits of new approaches to cybersecurity, like blockchain. HHS’ BUYSMARTER blockchain was the first to gain an authority to operate in Federal government, he noted.
“When you think about blockchain, it has immutability, transparency, traceability, timestamps, and provenance of the data – those are all cybersecurity words, and that’s why I believe blockchain is the future,” said Mek.
But as agencies move to cloud services and take new approaches to cybersecurity, they also need to be cognizant of existing security baselines. That’s where the National Institute of Standards and Technology (NIST) comes in.
“I’m listening, and hearing not just Andres and Oki, but many other agencies as well. I don’t think there’s a one-size-fits-all solution out there,” said Dr. Michaela Iorga, senior security technical lead for the Cloud Computing Division at NIST.
“The guidance provided by NIST … even though we are highlighting a risk-based approach and the baselines are providing a minimum level of security, with the latest evolution of the technologies and the attacks, I think that all government agencies need to consider beyond the minimum level of security and properly identify what kind of threats they are subject to,” she added.
Iorga highlighted NIST’s work in developing the OSCAL (Open Security Controls Assessment Language) language, which in a pilot program was able to analyze security artifacts in seconds – much faster than the estimated week it would take human analysts.
While agencies will need to follow baselines, letting organizations take the lead in implementing new techniques is also key.
“For those of you who work in government agencies with multiple bureaus, you know that the speed of execution sometimes varies dramatically from bureau to bureau, because of size, legacy, and applications. In a perfect environment, you would want to do that at the department level … but at the same time you can’t hold a bureau back that is able and willing to move to the next level, and becomes a driver,” said Mendes.