How NASA, State Department Are Securing the Cloud

Federal cyber leaders at the National Aeronautics and Space Administration (NASA) and the State Department warned their colleagues against rapid cloud adoption if their cybersecurity strategies aren’t keeping pace.

Cybersecurity is a strong focus for the Biden administration, which recently appointed the first National Cyber Director to lead the national cyber strategy and coordinate with other federal agencies to respond to cyber incidents. For many federal agencies, cybersecurity hasn’t always been the top priority.

“[During] this pandemic, you saw a 10-year movement in IT in the space of one year,” said Nagesh Rao, CIO of the Bureau of Industry and Security within the Department of Commerce, at the ATARC Cloud Summit last week.

According to Brian Merrick, director of cloud programs at the Department of State, cybersecurity policy hasn’t evolved as quickly as IT policy, which is why the current administration is racing to catch up. Merrick said his agency “leverages FedRAMP extensively” to stay on top of cybersecurity.

“We look at FedRAMP packages, make sure they meet our risk parameters as well, then leverage those controls at the platform layer,” he said at the summit. “We have a shared responsibility model, so then there’s that other layer that we provide — what’s left varies depending on the platform. With SaaS (software as a service), there are fewer controls. That helps to reduce the time to market from a compliance standpoint, but the ATOs (authorization to operate) aren’t as extensive, and in some cases, they ride on our ATOs.”

Merrick said hybrid-cloud environments, which are popular among federal agencies, can be difficult to watch for cyber risks and vulnerabilities.

“The challenge we’re still facing is, how do we take all this disparate data on all these platforms and get a consistent view into the activities and risk management monitoring?” he said. “There are so many different variables in these platforms so when it comes to monitoring, there isn’t a single pane of glass that gets you there.”

Merrick and Joe Foster, a cloud computing manager at NASA, think a beefier Technology Modernization Fund (TMF) could help federal agencies devote more resources to cybersecurity.

“Our cloud platform today is only accredited at a FISMA (Federal Information Security Modernization Act) moderate level,” Foster said at the event. “NASA does a lot of science, a lot of public-facing stuff. With the new [Executive Order on Improving the Nation’s Cybersecurity], we wrote a proposal for a TMF upgrade and FISMA high enclave.”

NASA’s priority is to ensure its hybrid-cloud environment is cost-effective and efficient without compromising cybersecurity. The solution? Automating cybersecurity processes to accelerate project development.

“The basic approach to cloud three years ago was: we have a contract in place, you just have to go issue a task order off it,” Foster said. “You had to design your own security, implement your own technical plan, go through all the hoops to get up and running. It took six months on average just to get a project started. Now we’ve been able to take that six-month on-ramp time and I can have a new application up and running in 45 minutes. ATO in a day — that’s basically what we’ve tried to replicate here.”

Foster added that “not everything is designed for the cloud,” such as legacy firmware.

“Hubble’s been lying in space for 30 years, which means it’s been pretty stagnant for a long period time,” he said. “We have something called the secure lab enclave where we firewall off all these legacy pieces of equipment that can’t be upgraded anymore.”

Like many other federal agencies, the Department of State is focused on an aggressive zero trust push in response to the cyber executive order.

Zero trust, Merrick said, can refine and enhance cloud security even in the most challenging hybrid environments.

“We’re working through a strategy now in conjunction with the EO for zero trust, rolling out a security broker … it’s going to be a combination of factors of identity, cloud-access security brokers for rule enforcement, and what we can do from a native platform tool functionality working in concert,” he said. “It’s definitely a long road ahead.”