Both Kate Molony and Gordon Griffin contributed to this post.
Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider. On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP. The GSA expects last month's authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.
In an effort to better implement the government's "Cloud First" policy, the GSA collaborated with private industry and other executive agencies - including the NIST, DHS, and DOD - to standardize security requirements for federal cloud contractors. Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.
North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP's boxes, but its journey to complete federal endorsement is not over. Cloud service providers seeking FedRAMP approval must undergo a four-step application process. Either a contractor or an agency may initiate a FedRAMP review. Contractors must then retain a "third party assessor" (3PAO) to perform an independent assessment of whether the contractor's security systems comply with Federal Information Security Management Act (FISMA) and NIST standards. With a 3PAO's security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP's Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA. This is the certification that FedRAMP has granted Autonomic Resources, but the key word is "provisional." The JAB "authorization to operate" (ATO) is but an initial endorsement of the contractor's security controls and their acceptable risk. Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs. Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates.
As the former federal CIO stated, the idea behind the FedRAMP process is "approve once, use often." This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts. The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars. Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization. Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings. In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.
For more information about federal cloud computing and acquisitions, see http://www.crowell.com/files/Cloud-Computing-Acquisitions-Cybersecurity.pdf.
Both Kate Molony and Gordon Griffin contributed to this post.
Both Kate Molony and David Bodenheimer contributed to this blog post.
As a part of the Senate’s recent passage of the 2013 National Defense Authorization Act, Senator Carl Levin (D-MI) has introduced an amendment that would direct the Department of Defense to establish procedures requiring contractors with security clearances to make disclosures when their covered networks have been successfully breached. Amendment 3195 appears to be the latest chapter in the recent trend at the federal and state levels to expand private sector obligations to report data security breaches.
However, this latest breach notification proposal by the Senate Armed Services Committee Chairman raises significant questions for those that it seeks to regulate. In particular, the Amendment creates uncertainty about its scope and the notification process. SA 3195 broadly asks the DOD to determine not only the process by which contractors must report breaches, but to also determine which contractor networks are subject to that process. If the DOD interprets the Amendment expansively, it could extend not only to classified networks, but also to those that are unclassified. Given the expanded responsibilities of the Defense Security Service (DSS) to assist government contractors with cybersecurity for both their classified and unclassified networks, the implementing the DOD procedures would presumably follow suit and opt to include reporting requirements covering unclassified, in addition to classified, networks.
Amendment 3195 does establish broad audit and inspection rights for the DOD to probe the private networks of cleared DOD contractors. Specifically, the bill states that any resulting DOD process must include a mechanism by which the DOD can access a contractor’s networks to perform forensic analyses. Such right of entry may create some of the same tensions that DOD contractors experience in dealing with the scope of the Defense Contract Audit Agency’s access to a contractor’s financial and other sensitive information during an audit. Beyond the usual confidentiality concerns, this provision could open the door to other types of investigations if the DOD network audit uncovers wrongdoing unrelated to the original security breach. How deeply may the DOD penetrate the contractor’s networks? What happens if the DOD security auditors trip across attorney-client privileges or other secrets unrelated to the original purpose of the audit? Will a safe harbor be available to contractors? These questions remain unanswered.
Regardless of its future progress in Congress, Amendment 3195 – like many other legislative and regulatory expansions – reflects the growing scrutiny of contractors for data security breaches and cybersecurity shortfalls.
Proponents of the Cyber Intelligence Sharing and Protection Act (more commonly known as CISPA) won a small battle last month when the House of Representatives passed the proposed bill by a vote of 248 to 168, with 42 yays from Democrats. Yet the war for comprehensive cybersecurity legislation is far from over, as CISPA's next campaign – the Senate – is expected to be a tougher fight. Even if it were to prevail there, the White House has stated that it would likely veto the bill.
Still, CISPA supporters believe that last-minute amendments may persuade some opponents into reconsidering their positions. According to an Office of Management and Budget statement made prior to the vote, the Obama Administration's primary concerns were that CISPA did not go far enough to protect critical infrastructure; that it repealed portions of electronic surveillance law without implementing counterbalancing privacy protections; and that it granted too much shelter to the private sector from cyber liability. Representatives Rogers (R-MI) and Ruppersberger (D-MD), the bill’s co-sponsors, have since responded that regulating critical infrastructure is beyond the purview of the House Intelligence Committee – from whence the bill came – and that the now-approved changes to the bill narrow the government's ability to retain and then use shared data. The amendments have yet to scale back liability exemptions, provisions that remain popular with industry. The White House has yet to comment on the revised bill.
In its current form, CISPA has won the support of Internet and technology companies such as Facebook and Symantec. Notably, though, some companies have jumped ship and now oppose the legislation. Civil rights groups, including the ACLU, also remain unconvinced. Cyber activist group Anonymous has been particularly vociferous in its opposition, calling for a series of protests and "swift messages" against industry supporters.
CISPA is not the only cybersecurity bill to face growing scrutiny. Members of the House and the Senate have offered at least nine other cybersecurity bills, including separate proposals from Senators Liberman (I-CT) and McCain (R-AZ). As with CISPA, some critics believe Congress has yet to advance legislation comprehensive enough to cure the country's growing cyber vulnerabilities while protecting the citizenr's civil liberties – a familiar quandary in post-9/11 America.
In an effort to comply with the 2011 Budget Control Act, the Department of Defense has proposed a “difficult but manageable” budget that will save approximately $259 billion over the next five years, totaling $487 billion in savings within a decade. Coordinated with President Obama’s defense strategy guidance, this new budget provides a glimpse into the government’s evolving national security priorities, focusing on military agility abroad and economic stability at home.
Among the major takeaways is a strategic shift from an emphasis on land-based conflict to one conducted via sea and air, where the U.S. believes it can best exploit its comparative advantages. In concert with withdrawals from Afghanistan and Iraq, the Army is expected to see eight of its brigade combat teams dissolved. This would be but one component of the suggested 15% reduction in the Army’s total active forces. As the government grows reluctant to engage in large-scale and prolonged military operations, the Marine Corps, too, would not escape unscathed. Its total number faces a 10% reduction, including the loss of at least one infantry regiment, with more potentially on the table. What is more, the procurement of F-35 Joint Strike Fighters would be cut from 42 to 29, along with additional delays.
In contrast, the Navy and Air Force stand to gain from the DOD’s realignment of priorities. The Navy would retain its current fleet of eleven aircraft carriers and ten air wings, while enhancing its submarine cruise missile capacity. Not to be outdone, the Air Force would continue to receive funding for its new long-range bombers, and drone patrols could increase in capacity from 65 to 85, calling attention to the perceived need for military flexibility.
This brings us to another notable focal point – the DOD’s technological capabilities. In an effort to remain responsive and keep pace with other nations, the government would maintain its financing of unmanned intelligence, surveillance, and reconnaissance (ISR) systems on a broader basis, and funding for cyber operations would actually jump – one of the few defense projects to receive such a boon.
Yet Leon Panetta and others have not completely abandoned their previous military champions. For example, in contrast to the diminution of general ground forces, the DOD intends to stay the course concerning its special operations forces. The number of these elite groups has doubled since 2001, and their continuance reflects the Department’s ongoing counterterrorism efforts.