As government networks modernize, adoption of cloud infrastructure and services are helping us quickly deploy new capabilities and more effectively respond to changing mission parameters. Cloud adoption has also brought about a dramatic increase in data. With more data, come more vulnerabilities, and the problem is only growing.
Unit 42’s 2023 Network Threat Trends Research Report indicates exploitation attempts of vulnerabilities increased 55 percent in 2022 from 2021. More than a decade ago, in the aftermath of the Snowden leaks, the federal government recognized a better system was needed to protect mission-critical data. To do this, agencies were mandated to use certified programs to help ensure the software and services they acquired met the needed standards. But as threat levels rise, how can agencies best use these labeling programs to ensure they are acquiring security technologies that meet their needs?
To guide the U.S. Department of Defense (DoD) in adopting secure technology, the Defense Information Systems Agency (DISA) created Impact Levels (ILs) to represent different levels of severity – rating how catastrophic a loss of confidentiality or integrity would be – for specific data. The higher the impact level, the higher the security requirements of the technology that handles the data. ILs are specific to the DoD, which alone reported 12,000 cyber incidents between 2005 and 2021, and they loosely build upon FedRAMP, a federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
IL5, the highest unclassified category of Impact Level authorization, is fundamental for federal security. It makes easy-to-use public cloud services available for a large group of U.S. government agencies who need additional authorization beyond FedRAMP standards. IL5 enables U.S. government agencies to securely store and process Controlled Unclassified Information (CUI) and Unclassified National Security Information (U-NSI) data that has moderate confidentiality and moderate integrity requirements.
While known cloud incidents have grown at a faster rate than cloud workloads, programs like ILs and FedRAMP help ensure the most important data is protected with best-of-class security architecture, like the recently IL5 accredited Palo Alto Network’s Prisma Access. These levels of accreditation are evidence of the undeniable importance of private and public sector partnership – and they enable the U.S. government to leverage proven technology to protect and manage its highly distributed mission-critical infrastructure while promoting innovation and economic development in the private sector.
The 2020 SolarWinds cyberattack targeting multiple U.S. government agencies and private organizations, including the Department of Defense, emphasizes the need for continually high standards in both the public and private sectors. There are only two ways a product can become IL5 certified. One way is for a company to already be approved at a FedRAMP High level by the Joint Authorization Board. Secondly, the DoD can run its own assessments, known as an “uplift,” and the provider aligns its Plan of Action and Milestones (POAM) – a corrective action plan for tracking and planning the resolution of information security weaknesses – according to the DoD’s Readiness Assessment Report (RAR).
The IL and FedRAMP rubric is a win-win for U.S. government and businesses – it leverages public-private partnership to achieve DoD objectives, protects the broader federal network and reinforces our nation’s cyber resilience as the number of vulnerabilities continue to rise and difficult economic times are expected to prompt more cybercrime. Cybersecurity companies that incorporate these certification processes into their broader corporate product development program will reap the security benefits of these robust frameworks, and their private sector customers benefit too, knowing the solution meets the stringent requirements of government frameworks.
Through these certifications, the DoD can better modernize its infrastructure and improve Zero Trust outcomes for users, devices, networks and applications with innovative but proven cybersecurity products. Increasingly, cloud-delivered security will protect agencies like the U.S. Department of Defense and help enforce a Zero Trust Strategy, and IL and FedRAMP ensure these solutions are reliable and best-in-class to secure the information they need.
The author, Meg Coker, is Senior Director of Capture and Business Development, Palo Alto Networks.