FISMA standards will calm cloud fears, McClure believes

The federal government might not be in a mad march to migrate its most sensitive data to the cloud, but as standards become more cemented and processes ironed out, more agencies will move into the space perceived “as a little bit risky at the moment,” according to the predictions of a General Service Administration official.

As the Federal Risk and Authorization Management Program gets rolled out and agencies get comfortable with the new standards and the rigid review process, there will be a greater tendency to move higher-risk systems and data to an outsourced model, said David McClure, associate administrator at GSA's Office of Citizen Services and Innovative Technologies.

McClure spoke with Federal Computer Week prior to participating in a panel discussion on new models of government IT, in a March 21 event hosted by Cisco in downtown Washington, D.C.

In the past few years, more agencies have moved to the Federal Information Security Management Act's "Moderate" level, and federal security officers have grown increasingly more comfortable with the idea of having higher levels of security on their systems.

But the higher level, including intelligence and the classified space, demands more protected data, an area where the Defense Department and the intelligence community are still working to iron out the kinks and figure out how to move ahead, McClure said.

Ron Ross, a computer scientist at the National Institute of Standards and Technology, McClure said, described it best when using the analogy of a big, open suitcase to illustrate how the controls for computer security are being used. The way in which those standards are used for non-cloud systems is by picking controls and classes of controls that fit whatever is being tested.

However, for cloud, “we’ve gone into that suitcase, pulled out the controls that we think are very important for vendors and government to demonstrate they have in place to protect data, access and privacy,” McClure said.

FedRAMP has created a governmentwide consensus on what those controls should be for cloud. Each agency is interpreting that in their own way; some might require 500 controls, others only 200, he said, adding that understanding the reason for the variations and what can be done to get a common baseline is an important matter.

For agency CIOs, getting comfortable with how the testing is done and making risk-based decisions in the computer security area remain the largest challenges with cloud computing. The FISMA-based process is a risk-based course, “and government is pretty risk averse,” which often leads to over-applying security, McClure said.

“I think it’s time to have those conversations about what works best and in what situation, and can we agree at least on a baseline,” he said. “Then give agencies prerogative based upon their unique needs and systems environments and . . . create a common approach that saves lots of money [and] lots of time and brings consistency in how security is done in government.”

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Fri, Mar 23, 2012 Wyatt Starnes

The last comment is on target, IMHO. FISMA 1.0 is old and badly needs to be replaced. FEDRamp is at best, ambiguous and incomplete. The best work continues to come out of NIST with close cooperation with other agencies and IC groups. Suggest you look at the draft update to 800-53 (version 4). This should server as framework for FISMA 2.0 and, in my opinion, is some of the best work I have seen on cyber security and IT infrastructure management. Link here: http://csrc.nist.gov/publications/PubsDrafts.html

Fri, Mar 23, 2012

Can a contractor who signs a SLA automatically adjust to a dynamic threat enviornment and APTs to protect sensitive information? Doubt it. If patching and encryption can't protect the information or system, they'll fall back on the "it wasn't in the SLA".

Fri, Mar 23, 2012

I'm afraid the statements made here are mistaken in most respects. FISMA and FEDRAMP aren't making internal government systems more secure or secure enough. They aren't securing a single thing, exactly because agencies get to choose how controls are interpreted, what they mean and what's required. And system owners are reporting false and inaccurate FISMA security information up the chain, out of ignorance, lack of talent, fear of reprisal, or to avoid work. A main goal of FISMA is to make government managers aware of security risks. But the management comments in this article, stating that FISMA is making systems secure, shows that FISMA has failed to make management aware of the risks on their systems.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group