Earlier this Summer, Centers for Medicare and Medicaid Services CISO Rob Wood shared his strategic goals for the agency’s cybersecurity, which included plans for a "batcave," and it's going pretty well.
Batcave is the CMS Office of IT's rising continuous authorization and verification engine. Wood introduced the effort as a way to shift toward building software and embracing the cloud, providing a foundation for faster and user-focused development.
“We’re shifting toward the code,” Wood said at the CMS Cybersecurity Forum last week. “It’s an engineering shift. Then ultimately, if we can build it once, run it in most cases everywhere or piecemeal run it, run pieces of it everywhere — then we can maximize control inheritance … taking away most of that prep time, taking away most of that [minimum viable product] build time, so you can focus on building features, building user experiences, building data models, building whatever it is that’s going to solve your problem and add value to your stakeholder.”
Wood hopes Batcave can get ideas to production as quickly and securely as possible, encouraging a development culture that embraces DevSecOps, faster problem-solving and reduced complexity.
Alongside Batcave, Wood said CMS is also working to make development safer in general. To do this, CMS is investing in better synthetic datasets so that developers can conduct rapid experimentation in a secure fashion.
“You don’t have to deal with big complex data-use agreements and privacy agreements and all of that stuff and all the security that goes into the data engineering, the data tooling,” Wood said about the synthetic data use in development. “You’re just able to rapidly experiment and iterate and learn on good-quality synthetic data.”
Wood added that his office is working to build and scale out the synthetic data development project to other components across CMS. From there, he wants to integrate it into development programs like Batcave.
To get CMS in faster development mode, Wood also wants to break down monoliths — or big code based around a big piece of software — into modules.
“One of the things that we are really trying to drive home is modularizing, breaking apart these monoliths into smaller decomposed modular pieces, such that we can iterate on them more quickly and efficiently without needing to consider or worry about breaking the overarching structure that it originally came from,” Wood said. “We should be able to learn quickly about a particular, smaller process that supports a bigger thing.”
Wood also said he’s working to strike a better balance between data security and transparency. He explained that if security teams don’t do that, they can end up making it difficult for people within an organization to innovate and problem solve.
“Our data is very sensitive — we don’t want anyone to get their hands on it because bad things could happen,” Wood said. “However, if you don’t have access to your data and you are the one that needs it to make a change, to make something better — how are you going to make that better if you’re going through the bottleneck that is the security team?”
Wood argued that to improve the security posture across CMS, the agency needs to make security data more readily available. He added, however, that the respective data needs a layer of governance around it, as well as proper data tooling and anonymization, to make it secure.
“We can anonymize that so they don’t know exactly what the system is, what the target is, things like that, to be able to empower people who want to learn from security data, gather abstractions or insights from security data across the enterprise without putting systems at risk — but most importantly, of course and just to drive this home, to give people access to the data they need when they need it,” Wood said.