Before you say “no,” Federal cybersecurity professionals, hear us out. To borrow a line from Riggs in Lethal Weapon 2, “C’mon, say yes! Be original, everyone else says ‘no.’”
Even with all the discussion around efficiency and modernization, the typical Certification and Accreditation (C&A) process takes six months and costs more than $100,000 to complete. For larger IT systems, doubling those totals isn’t out of the norm. With a large number of organizations, this process is updated every six months and then redone every three years for each system. So, over a five-year-period, certifying and accrediting a system can cost more than $500,000. Wow, that’s a lot of money!
With an increasing attack surface resulting in millions of new threats every year, partially updating C&A documents every six months, re-mediating a few Plan of Action and Milestones, and updating all docs every three years, won’t, and doesn’t, keep the bad guys out of Federal networks.
This compliance process, designed and refined over the past 15 years, was sorely needed when conceived–and still remains the primary means of governing Federal IT systems. Mainframes, client server, and early three-tier architectures ruled the day, with an eventual light sprinkle of this new tech called virtualization. Cybersecurity was an afterthought, meaning build everything and bolt on cyber at the end of the process. Moving typical systems from procurement to implementation took years. Now a server, and even an application, can be provisioned in minutes and the first release can happen in one month. The times and technology have changed, yet updates and adoption have lagged significantly.
Depressed? Don’t be, there’s some help on the way. The latest Risk Management Framework was released for comment and some of the 800 NIST publications are also being revised. The Department of Homeland Security led Continuous Diagnostics and Mitigation program is rolling out across Federal agencies, providing an opportunity to increase visibility and analytics capabilities for applications and systems on their networks. And since we started writing this article, 20 new cyber companies have entered the U.S. market that will help better identify cyber threats, quantify, and qualify risks based on threats, vulnerabilities, and cost to mitigate. The greatest minds are collectively updating the guidance and the conversations grow in numbers…so why are we still not broadly considering the idea of automating security controls and authorizations?
From a technology perspective, the Lego pieces are in the box to get started building the Millennium Falcon. In terms of FISMA compliance, today’s Federal CIOs, CISOs, and Program Managers have access to more than 70 FedRamp Certified FedRamp providers, including a few with high controls. Early adopters of DevSecOps have worked alongside assurance professionals and shifted cybersecurity left in the process and embedded cyber into the DNA of secure automation workloads, from development to production. Automation at every level is possible and can be utilized to achieve assurance and reliability previously unavailable with human implemented processes.
Is it perfect? Nope. Nothing is. This is not about perfection, rather risk management and responsible evolution. The tools are in the toolbox.
So, how do agencies get started? How about a mission-critical mainframe? Ah, no. Well then how about a FIPS moderate back office system on a few virtual servers? Close, but not quite. Let’s instead start with a “net new,” moderate-level data system. Even better, if you can take advantage of the incoming Modernizing Government Technology (MGT) Act to actually rethink a business process/application, rather than carry the same less-than-optimized processes to a new environment and call it modernization.
Some of the criteria to qualify: this is a new project, not a bolted-on enhancement to an old system. Must be hosted in a FedRamp cloud provider. Automate as much as possible, including your security controls, in partnership with your security operational and policy professionals. The development environment should be provisioned using good DevSecOps best practices. Make sure you embed cyber hygiene and analytics at the lowest level of code possible. Lather, rinse, repeat for testing. Then once satisfied the app and cyber is implemented correctly, light up production. Repeat, the key to success is a collaborative and transparent partnership among all stakeholders that include operational and policy professionals…stakeholder engagement.
Beta was overtaken by VHS. VHS got smoked by Blockbuster. Blockbuster got rolled by RedBox. Netflix, Amazon, and Hulu, took out RedBox using mobile phones and broadband. Traditional Federal C&A process, meet Automated Authorization. So, for the traditional certification and accreditation process, “we are getting to old for this.” We couldn’t agree more Sgt. Murtaugh.