The Cloud Safe Task Force (CSTF) – comprised of four nonprofits: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the IT Acquisition Advisory Council (IT-AAC) – held its fourth meeting on Wednesday to discuss how to achieve greater authorization-to-operate (ATO) reciprocity in cloud security practices.
Task force members explained during a Nov. 13 ATARC event that among current security control frameworks in the cloud service industry, reciprocity does not exist.
This means that cloud service providers (CSPs) may have a single control that has to “be assessed and reassessed up to 12 or more times because of the multiple frameworks that they have to assess to,” according to Mari Spina, a senior principal cybersecurity engineer at MITRE.
For instance, Spina said there is the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC) Program within the Department of Defense. Additionally, many Federal agencies have their own Federal Information Security Management Act (FISMA) implementation requirements.
Industry also has a host of frameworks, such as the CSA’s Security, Trust, Assurance, and Risk (STAR), among multiple international ones.
“These are all, in some cases, separate, different assessors using different controls and writing different reports. So, it’s a big cost driver,” Spina said. “I believe that if we can successfully tackle this, we save the industry, the government, and the cloud provider a ton of money.”
In addition to cost savings, CSA’s Global Vice President of Research John Yeoh said that reciprocity will also help to automate compliance programs.
“That’s going to be a huge part, so we’re not just automating the compliance, but we’re automating security,” Yeoh said.
“I think reciprocity is going to lead to a lot more than just an agreement between two standardized bodies agreeing on how we recognize each other’s assessments. It’s also going to give us the ability to automate that into our technology platforms, as well as improved security overall,” he added.
Former Federal CISO Chimes In
About five months after leaving the Federal government, former Federal Chief Information Security Officer (CISO) and Deputy National Cyber Director Chris DeRusha joined the task force’s conversation on Wednesday to stress why achieving reciprocity is so important.
DeRusha, who now serves as the director of global public sector compliance at Google Cloud, explained that reciprocity will enable one Federal agency – or even a component inside the same agency – “to reuse another’s assessment and give full access to all the underlying evidence presented to the first authorizing official.”
DeRusha echoed the task force members’ sentiments, saying that assessing “the same technology 10 different times … is not effective.” However, he said that the issue of reciprocity is bigger than just cost savings.
“I really think it’s more about the frame of speed to putting the tech into our public sector’s hands – that’s got to be the main driver and thing that we’re after here,” DeRusha said. “The cost argument, while important, people often, you know, they’re tired of hearing that, and it’s hard for them to attach that as the prime motivator because they don’t trust necessarily that there will be real cost savings in the end.”
“So, while I think it’s important, I think we’ve got to find frames which I think are very legitimate and actually more important frames than just that,” DeRusha said.
For example, he said the reality is that technology advancements are moving at a rapid, “almost scary” pace – and our adversaries are not waiting to use technology against us.
“They’re not waiting days to leverage the technology, but we’re waiting months and often years to get that technology into the hands of the public sector and then defenders,” DeRusha said. “That’s why this matters.”