For those in the federal government concerned about what happens to their agency’s cybersecurity as it adopts cloud computing, subject matter experts across the government offered some reassurance.
The National Institute of Standards and Technology (NIST) is focused on providing more guidance for a cloud framework, said Michaela Iorga, NIST’s senior security technical lead for cloud computing.
“We’re getting ready to post 800-173 for public comments,” Iorga said, the guidance for a measurement framework for cloud. “We’re also working on security and privacy controls … Our intention is to start building a structured framework for security controls” in a cloud environment.
Iorga said NIST is working on developing metrics for cloud service level agreements (SLAs), as well as developing a comprehensive list of challenges in cloud environments for computer forensics.
Complementing NIST’s effort, FedRAMP will be rereleasing a baseline for high-security systems in the cloud that incorporates feedback from agencies, Claudio Belloli, FedRAMP’s program manager for cybersecurity, told the audience.
“We actually just published our penetration test guidance,” Belloli added. “That went out a couple of weeks ago [and] included a requirement for social engineering.” Cloud service providers (CSPs) already going through FedRAMP testing will not have to go back and incorporate social engineering penetration testing, he said, but any providers starting the process in the future will have to include it.
Belloli said CSPs going through the FedRAMP process also will now have to include systems security plan training. His office also has released a third-party assessment organization requirements guide, which is out for public comment now.
Iorga asked whether FedRAMP has any working group or forum where agencies can ask questions dynamically, as they are working through cloud implementation. Another panelist, Leo Wong, CISO for the Department of Agriculture’s Food and Nutrition Service, agreed.
“In the 21st century it’s still kind of sad that we’re doing word of mouth,” Wong said. “I would totally be on board with public forums or an open space … It’s tricky, but I’m hoping the lawyers from FedRAMP can help.”
Belloli said FedRAMP is looking to establish agency working groups where agencies that have adopted cloud computing can share their knowledge. “We want to knock down some of those barriers,” he said.
On behalf of an agency that has moved to the cloud, Wong offered some suggestions regarding cybersecurity.
“Not everything needs to be protected,” he said. “I would start small – push things that you would be comfortable living without onto the public cloud.”
Wong said FNS does not depend on cloud security measures to address insider threats. “You have to have good monitoring in place,” he said, and suggested that the Department of Homeland Security’s Continuous Diagnostics and Mitigation contract has good monitoring tools for that.
NIST’s Iorga observed that while encryption may be perceived as the only way to be sure to protect data, it raises questions of whether the data is encrypted just in transit or also at rest. She pointed out that using encryption is something that requires restructuring legacy systems that have very large databases; otherwise, network performance can suffer.