Hybrid cloud adoption is forcing many agencies to take steps to enhance their cybersecurity posture. While hybrid cloud can reduce costs and improve scalability it can also put agency infrastructures at greater risk for malicious cyberattacks.
A hot topic right now surrounding hybrid cloud is the Defense Department’s Cybersecurity Maturity Model Certification (CMMC), which evaluates Defense Industrial Base (DIB) companies' cybersecurity practices to ensure compliance with DOD requirements.
“We need to try to help our industrial base get to good with cybersecurity because we want to make sure the warfighter has the best capabilities on the ground and that they’re protected," said DOD DIB Cyber Chief Stacy Bostjanick during GovCIO Media & Research"s CyberScape: Insider Threats event Thursday in Tyson's Corner, Virginia.
DOD is working with cloud service providers to develop an inexpensive way for companies to guard their data and their environment while complying with CMMC.
“From the cloud perspective, we’re hoping to be able to leverage it, but it can provide the core so that you don’t have to buy the gates, guns and guards to make sure your system is good," Bostjanick said. “But you also have to have the controls to protect that data now. Do you put that in the hands of the cloud services provider to protect for you, or do you do that on your own? That’s something we’ve got to look into.”
The National Aeronautics and Space Administration (NASA) quickly adopted the National Institute of Standards and Technology (NIST) Risk Management Framework 853 Revision 5 to better secure legacy IT architectures while shifting some systems to the cloud. According to Joe Foster, cloud computing program manager at NASA, the agency is now moving to another NIST security platform called Open-Source Control Assessment Language (OSCAL) to meet cybersecurity compliance requirements.
“It’s basically compliance-as-code, we’re going to bake in all the compliance checks as part of the Rev 5 transition by using OSCAL so ... we will give people a GitLab area and go write your controls in this OSCAL markup language,” Foster said during the event. “It will be interesting times going forward and we think automating will ultimately lead to the best results for us.”
Michael Epley, chief architect and security strategist at Red Hat, believes organizations should focus on zero trust if they want to handle common security controls across different environments in a consistent and cohesive fashion.
“I always focus on zero trust — that’s a big passion of mine. Zero trust is as an architectural framework for managing across those different environments and through that management attracting more value from those different cloud postures you might be employing,” Epley said at the event.
Joseph Fourcade, lead cybersecurity analyst at the Department of Veterans Affairs' Enterprise Cloud Service Office, said its vendor partnership has been key to keeping data secure.
“We do a project where we bring vendors in as a joint effort, they become a part of our team. We walk with them through the whole process and make sure they have everything in place to help get through compliancy,” Fourcade said during the event. “We then guide them in the right path for what’s going to be required to make sure we have the security vulnerability visibility into their projects.”
Bostjanick said everyone including industry should keep security top of mind because cybersecurity is a shared responsibility.
“My dream is for CMMC is not to be needed. What I want is our industry partners and our nation to all be thinking ahead and being out in front it and think about what’s the next possibility and fabric that I could be attacked upon and taking those steps to protect ourselves,” Bostjanick said. “We need to be a thinking nation and paying attention to what’s happening and working hard to get there.”