Some Agencies Struggling to Track and Manage Security Risk
Despite increasing adoption of cloud services under FedRAMP, the most recent FISMA report shows some agencies are struggling to track and manage risk in the cloud.
By William Jackson, The Tech Writers Bureau
Government is moving slowly to the cloud and analysts expect the pace of adoption to increase over the next few years. But the most recent report on FISMA compliance [https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy14_fisma_report_02_27_2015.pdf] indicates that some agencies are still struggling to track and manage risk in the cloud.
This does not mean that cloud services are not secure or that the government applications running on them are necessarily at increased risk. It means that some agencies don’t know or can’t document the security status of those clouds and applications. Given recent government data breaches by foreign nations and organized crime, this is a serious concern.
Cloud computing offers flexibility, economy, and security to agencies strapped for cash and manpower. Under the administration’s Cloud First policy, [http://www.gsa.gov/portal/content/190333?utm_source=FAS&utm_medium=print-radio&utm_term=cloud&utm_campaign=shortcuts] agencies are supposed to give priority to cloud computing for IT needs whenever appropriate. To facilitate this, the Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to smooth the security certification process required under the Federal Information Security Management Act (FISMA). FedRAMP provides certification for a standard set of baseline of security controls on cloud platforms.
According to a recent IDC report on government cloud spending, [http://www.idc.com/getdoc.jsp?containerId=GI241746] the bulk of federal money is going to private clouds (dedicated single or limited-user platforms) rather than public clouds. Adoption has been relatively flat for several years, but both IDC and Forbes [http://www.forbes.com/forbesinsights/microsoft_govt_cloud/index.html] expect the speed of adoption to pick up over the next few years. This makes it important for agencies not only to ensure that cloud service providers meet FISMA requirements, but also to monitor and assess cloud security on an ongoing basis.
This is not always happening now. According to the Office of Management and Budget’s 2015 FISMA report, one of the most common problems for agencies with incomplete incident response programs was the inability to track and manage risks in a virtual or cloud environment. Information systems operated by federal contractors also must meet FISMA requirements. But only eight of 24 agencies reported full ability to manage contractor systems, and one of the most common weaknesses was the lack of a complete inventory of systems in a public cloud. Six departments reported contractor owned or operated systems, some in a public cloud, that did not meet FISMA requirements.
Regulatory compliance does not equal security, and these shortcomings do not say anything directly about the security of the cloud or the government applications and services running there. But without the ability to track and manage security there is no assurance that they are safe from attackers.
William Jackson is a freelance writer with the Tech Writers Bureau [www.techwritersbureau.com] and the author of The Cybereye. Follow him on Twitter @TheCybereye.