Cybersecurity

NGA wants 24-hour cloud ATOs

Shutterstock image: cloud network, concept. 

Right now it takes about six months for a cloud provider to get its service cleared for federal government use – and that is on the fastest of fast tracks.

To the spies at the National Geospatial-Intelligence, however, that feels like super slow motion.

Jason Hess, the NGA's chief of cloud security, is looking to dramatically reduce the time it takes to secure authority to operate certification for cloud services to a single day.

The agency, Hess said at the Cyber Resilience Summit on March 21, is moving most of its IT operations to the cloud and looking to "re-invent security." The idea is to take advantage of cloud flexibility to tear down the agency's IT architecture and re-build it every day, so that would-be attackers will confront a confusing operating environment and enjoy limited time-on-target.

So far, using software and DevOps development techniques, Hess said his agency has currently managed to get ATOs within seven days.

NGA's "fast architecture churn," said Dr. Ron Ross, fellow at the National Institute of Standards and Technology, "is something to watch" in protecting networks and data in the coming years.

The NGA approach isn't for everyone, but speakers at the conference agreed that just installing technology at the edge of a network to ward off suspect traffic is obsolete.

"Cybersecurity is something you do, not something you buy," said Dr. Dale Meyerrose, a retired Air Force major general, who was also the first appointed CISO for the intelligence community.

"We lie about what we can do" with cyber security capabilities, he said. The federal government in general does not compare favorably to industry in detecting cyber intrusions on networks, and cybersecurity programs, with their response teams and other reactive elements, are too passive. "We need a hunt and destroy attitude," Meyerrose said, and an emphasis on integrating cybersecurity into agency missions rather than thinking of it as a separate effort.

At NIST, Ross is pushing an integrated approach. The standards agency's NIST's 800-160 security engineering guidebook that was issued last November urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.

New approaches must also be developed to get people to live and breathe cybersecurity as part of their agencies mission, the speakers said.

"I don't want my whole office to be made up of cybersecurity PhDs," said Commerce Department acting CIO Rod Turk, acting CIO at the Commerce Department, but "I can't present to the CFO on why I need a cyber program" if no one on the staff can explain in a business case how the program will translate into its impact on budget an overall agency mission.

Turk added that more innovative approaches to encouraging cybersecurity best practices are better done without embarrassing employees. "I'd rather put a sign in the hallway" that the agency was preparing to do an anti-phishing campaign with faked emails. The cybersecurity remedial technique has been run by other agencies as a "sting" operation in which employees that click on fake phishing email sent out by the IT department.

"I'd rather an anti-phishing campaign be 'here's what you look for'" in phishing emails, he said. "It's not a 'gotcha' thing. I want them to be thinking about it. Information is far more important than embarrassing them."

Turk also briefs agency employees weeks ahead of international trips to countries who are notorious for phishing, explaining how and when they could expect to be phished. "That happens like clockwork 30 days ahead of a trip," he said.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group