One year ago, the White House’s cyber executive order changed the way that government secures its identity data — working to ensure that only the appropriate people have access to it and guarding it against adversaries. Comprehensive data protection has become an agency-wide, all-of-government and industry effort in order to secure federal systems.
Security is a critical mission for the Patent and Trademark Office (USPTO). The first step to securing identity data, CISO Don Watson said, is to minimize the production and storage of that data as much as possible.
“We use data minimization principles to ensure we collect only what is necessary to fulfill the purpose of the activity,” Watson said at GovCIO’s CyberScape: ID event on March 3. “And making sure the data should only be shared within the organization where people will need to complete specific actions. And the data is only kept as long as is necessary.”
For Watson, data minimization often means taking a hard look at data collection proposals and adhering to strict standards for approval.
“There’s really no law saying that data cannot be collected, which can make it challenging to convince our stakeholders to not collect the data,” Watson said. “This often leads to open but tough discussions with teams before they start collecting the data.”
If a dataset is approved, the next step is to ensure that only the appropriate people will have access to it. At Customs and Border Protection, the agency has moved beyond usernames and passwords to secure its identity data. CBP collects biometric data for its trusted traveler program among other operations and, in order to gain access, CBP asks its data users for something they have and something they know. This could include facial recognition or a thumbprint scan alongside a pin number. Extra-sensitive information requires additional proof of identity, such as verification chip cards.
“Anything that has elevated privileges, there’s even more requirements, additional training,” CBP CISO Scott Davis said. “Get into that granular level of who needs what information and so the more the further down, we can get as far as granularity, the better off we’re protecting information that’s private.”
Information security offices have to work with and reach all corners of their agency to create a secure enterprise. High-profile breaches, including SolarWinds and Log4j, have pushed government to build a more cyber-aware culture.
“Our adversaries are not slowing down,” Davis said. “They’re getting more complex; they’re getting more strategic. … The privacy offices and the information security offices have really been elevated in importance because of the understanding of how valuable those services are.”
Immigration and Customs Enforcement (ICE) is creating a collaborative model to comply with federal regulations, laws and ethical standards in data protection.
“What we’re looking at now is what we call an information compliance framework, where we’re actually working closely as partners — working with the civil rights and civil liberties office, our security office, the chief information officer organization, and then even the legal side — and looking at the nexus of areas of policies, technologies, even business processes and trying to come up with an operating model,” said Ken Clark, assistant director for information governance and privacy. “We need to break down silos.”
This collaborative approach is especially critical during the acquisition process. Clark’s team works with new vendors to ensure that the systems storing and processing the government’s identity information are secure.
“Looking at contract language is also needed for protecting privacy and civil liberties,” Clark said. “At our organization, our privacy team works very closely with the acquisition organization to make sure the language is incorporated into our contracts to address the needs with our supply chain. We’re also working very closely at the Department [of Homeland Security] level. The department also works closely with other agencies such as the DOD. It’s really a whole of government approach to make sure that that we’re protecting our supply chain as we implement our systems.”
In addition to its supply chain risk assessments, this year USPTO is starting a new red-teaming approach to assess the security of some vendors who store and process data.
“Red teaming to those specific data facilities, we put in the contract language,” Watson said. “The ability to do announced and unannounced penetration testing and red teaming for some locations in which the vendors are storing and processing our data to ensure it’s well-protected.”
Government and industry are pushing one other and building new standards for cyber, and the product development process itself is transforming to bring security to the fore.
“Now you hear security development operations, SecDevOps,” Davis said. “It’s not just the federal government that’s focusing on it, the vendor community is also and it’s good to see — it’s an encouraging partnership.”
