Supply chain attacks have become a serious cybersecurity concern for the federal government in the past year. The massive SolarWinds attack showed that sensitive federal data could be infiltrated through third parties in federal data networks. Recently, Microsoft issued a warning that Nobelium, the Russian group responsible for the SolarWinds attack, “has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.” The federal government’s expanding network of suppliers and service providers with access to federal data means that officials must make it a priority to reduce the risk of attacks. An Executive Order issued in May has placed increased responsibility on federal agencies to do their part to mitigate these risks.
With a huge push for data interoperability in the federal government, federal agencies have migrated their data from legacy systems to cloud service offerings to improve connectivity, efficiency, and quality of service. Yet this has created an expansive IT and data supply chain with multiple tiers, and requirements become more difficult to track each step down in the supply chain. This means that data interoperability may also increase the risk of a data breach.
To lead the way, the Department of Justice recently launched its Civil Cyber-Fraud Initiative, a program that holds government contractors to a higher degree of accountability. The Cybersecurity and Infrastructure Security Agency (CISA) recognized in its Emergency Directive response to the SolarWinds attack that authorized vendors providing services for federal information systems may be working with other third parties that may not be covered by the mandatory Federal Risk and Authorization Management Program (FedRAMP) authorization.
The increased scrutiny of contractors brought by these initiatives places the onus of monitoring, reporting, and conducting full audits on federal agencies. According to CISA’s Emergency Directive, federal agencies are responsible for engaging with all service providers to audit and inventory their information systems. Per the Civil Cyber-Fraud Initiative, contractors that provide products that fail to meet cybersecurity standards and protocols will face penalties. Agencies engaged with these contractors will need to find new vendors, seek out alternate data solutions, and potentially rework existing migrations.
The FedRAMP program was created to establish consistency and confidence in cloud solutions by providing a standardized approach to monitoring Cloud Service Providers. Fully integrated solutions in the FedRAMP marketplace can help agencies find relief from closely monitoring a complicated network of multiple cloud service providers. Andrew Churchill, VP of Federal Sales at Qlik, praised the efficiency of cybersecurity that is managed on an end-to-end level with security and governance designed into a single platform: “With standardized security controls mapped to different levels of need and computing resources provisioned in the blink of an eye, a federal organization could—in theory—field new mission-critical capabilities practically overnight.”
Mass data migration to the cloud means more parties will have access to federal data. With the threats of supply chain attacks on the rise again, federal agencies need to take calculated steps to ensure that they don’t become a headline. Seeking out fully integrated data solutions means working with contractors that have a streamlined approach to cybersecurity, reducing the risk of supply chain attacks while alleviating agencies of complicated audits.
To learn more about comprehensive cloud analytics platforms, download the datasheet “Cloud Analytics for the U.S. Public Sector.”