This post first appeared on IBM Business of Government. Read the original article.
This blog draws from a July 21 webinar on cloud security hosted by the Partnership for Public Service and the IBM Center for The Business of Government featuring three federal IT leaders: David Catanoso from the Department of Veterans Affairs, Dr. Timothy Persons from the Government Accountability Office and Robert Vietmeyer from the Office of the Chief Information Officer at the Department of Defense.
Blog Co-Authors: Mark Lerner Senior Manager, Technology & Innovation, Partnership for Public Service; Emma Shirato Almon Associate Manager, Partnership for Public Service; Scott Robertson, Partner, Federal Cloud Strategy and Services, IBM; and Ryan Vuono, former intern, Research, Evaluation and Modernizing Government, Partnership for Public Service.
Threats to federal data, software applications and digital infrastructure, including cloud-based technologies, are growing exponentially. The National Institute of Standards and Technology reports dozens of new cybersecurity vulnerabilities and exposures daily that, if unaddressed, could result in large-scale breaches such as the 2020 SolarWinds attack.
To safeguard people’s personal information and the systems and services agencies rely on to serve the public, government must adopt a security-first mindset, maintain a responsive, agile approach and implement cybersecurity best practices like zero trust architecture.
To achieve this organizational change, Robert Vietmeyer, the director for cloud and software modernization at the Department of Defense Office of the Chief Information Officer, said, “you’re going to need to adjust everything—from your business operations to your technical operations to your production support.”
Key players
Thankfully, federal leaders do not take on this burden alone. The Government Accountability Office’s chief Scientist Dr. Timothy Persons described security as “a team sport,” requiring “shared responsibility of the cloud.” Here are some of the major players that work together to ensure secure cloud infrastructure:
- Chief information officers and chief information security officers lead the cloud security strategy.
- HR & talent teams identify opportunities to expand cybersecurity knowledge and skills within an agency through hiring and training.
- Procurement & acquisition specialists contract external industry partners for their cloud services.
- Federal accreditation standard bodies (such as FedRAMP) vet industry partners to ensure a standardized level of security and data protection.
Bringing everyone together
For these key players to develop and implement a secure cloud strategy, they must have a common understanding of how the agency uses its computing networks to achieve its goals. In partnerships between government and industry, it is critical to communicate and collaborate early and often. At the Department of Veterans Affairs, providers are expected to align their technology and teams with the agency IT strategy, allowing for a shared understanding of and more responsiveness to new threats.
“[Vendors have] to be willing to work with other contractors, other VA employees [and] various agencies,” Catanoso said. “We work in a highly team-oriented environment.”
Beyond ensuring the security of the cloud infrastructure from and with providers, Vietmeyer emphasized the need for internal coordination since the “majority of all application-level and data security that exists in the cloud is the [agency] customer’s responsibility.” Creating a security-first culture means making sure that each team understands their data and how to faithfully steward customer information.
Leaders within and across agencies can provide data governance guidance through cybersecurity and technology readiness assessment training and coordination with dedicated security teams. Moreover, they can integrate cloud and enterprise hosting security into planning and management discussions. Catanoso remarked that “almost all our meetings talk about the security dimension.”
In addition to familiarizing employees with cloud technology and data security, Dr. Persons noted that leadership needs to be proactive in bringing all staff—even those in non-technical roles—on board via agile processes. “We often focus too much on the technology itself,” he said, “but it’s staff who operate that technology … addressing risks efficiently and making micro-corrections along the way.” Both the Department of Veterans Affairs and Department of Defense promote skill-building opportunities in DevSecOps, a methodology for developing secure applications using agile approaches.
By expanding what roles fall into the cybersecurity workforce and cultivating a unified approach to cloud security, agencies can be more agile, capable and proactive in responding to threats.
Join our next webinar
As agencies adopt and build secure cloud services, they should look to allocate their cloud resources, teams and workload to more effectively serve their mission and the public.
In our upcoming webinar on October 13, we’ll discuss leveraging and optimizing cloud to meet program ends.
Read our blog post recapping our first webinar, “The 3 stages of cloud adoption.”