Three initiatives meant to enhance government IT security are languishing from funding challenges, yet CIOs are asked to deliver at the promise of shared services.

The Obama administration has made an unprecedented commitment to creating government data driven. It has also made cybersecurity a centerpiece of its IT strategy. However it now finds itself mired in controversy on both fronts.  

The less-than-stellar rollout of the web site designed to support the Affordable Care Act was a tremendous embarrassment, while the revelations surrounding NSA surveillance methods has cast doubts on the administration’s commitment to privacy as a keystone of national policy.

These two story lines symbolize among the many challenges the administration faces in balancing the federal government’s IT investments: It must maintain public support for a sturdy cyberdefense without losing specialize in the civilian agency systems which are the general public interface with “e-government,” but which also must be made safer.  

They also show the role funding plays in managing the results of these IT investments.

[Read why Defense Department CIO Teri Takai believes within the government cloud security program: Why FedRAMP Helps Everyone.]

Looking at cyberdefense, the Snowden disclosures ironically revealed that the long-term investment in intelligence gathering has paid off within the type of an infrastructure and capability which are second-to-none. The disclosures also delivered to light just how much the administration has invested in cyberdefense. It all started with the emergence folks Cyber Command in 2009 and more recently with the Pentagon’s 2013 budget commitment to a fivefold expansion in staff and offensive capability over the following few years, which The Washington Post reported early last year.

However, the cumulative impact of constant resolutions, sequesters, and the govt shutdown have put a damper on government efforts to make its IT systems safer. Three key security initiatives chiefly were affected: Continuous Diagnostics and Mitigation (CDM), the Federal Risk and Authorization Management Program (FedRAMP), and HSPD-12.

Federal agencies have taken to heart the government’s “cloud first” strategy, outlined by former US CIO Vivek Kundra within the first Obama administration, which mandates moving email and other business applications into commercial clouds.

The move to the cloud has had the best impact on small and midsized agencies that do not have legacy investments in large datacenters and that were ready to shift operations to commercial clouds with relative ease. Unfortunately, these agencies are also least ready to protect security funding from the budget axe. That’s why these big three initiatives are so critical to the state of the shared security services.

The CDM initiative, beginning in fiscal year 2013, offered the hope that low-cost monitoring tools and continuous authorization services would replace a pricey cycle of system certifications. However the task of managing the myriad of contracts linked to the initiative has slowed down on the Department of Homeland Security, that is leading the initiative. The tools — including the predicted budget savings — aren’t yet to hand whilst the 2015 budget cycle begins. In step with a survey of defense and civilian IT specialists, conducted by Dimension Research and published by the safety firm Tripwire, there are major challenges facing CDM implementation, with 50% of respondents citing budgets as a top barrier.

Even if the CDM program gets back on its feet, this may not do anything within the short term for the agencies that experience moved their operating environments to the cloud. CDM is currently an on-premises method of system security. Plans to implement it in commercially hosted government clouds — and to position those clouds contained in the government’s Trusted Internet Connection (TIC) boundary — are still to return.

Meanwhile FedRAMP, the framework for securing these commercial cloud services, despite some headway, is off to a slow start. The FedRAMP Concept of Operations memo, issued by the Office of Management and Budget, describes a rich array of capabilities and services which can support authorization of cloud-based environments. But CISOs and CIOs are finding that among the big providers within the cloud space are using prior security certifications provided by the GSA or other agencies, with FedRAMP-certified services still being briefly supply.

Other providers have bundled multiple independent operating environments right into a single certified package. This makes it difficult to unpack the connections and tell what controls are in place or to enforce them, even if they’re spelled out in contract language.

The FedRAMP Joint Advisory Board (JAB) has approved greater than 20 independent third-party assessors who’re qualified to certify cloud environments, but just a handful of them are doing the work. The irony is that and not using a scanning and monitoring function built into the FedRAMP process, the certifications aren’t any different than the old three-year cycle model that DHS and NIST are attempting to interchange.

The final piece of the protection puzzle, inherited by the Obama Administration from the Bush Administration, is the HSPD-12 mandate, intended to switch outmoded password authentication with PKI-based, two-factor methods that depend upon electronically coded identification cards and card-reading systems.

Unfortunately, this critical security capability, meant to guard systems on-premises and within the cloud, is usually languishing thanks to budget constraints. The initiative was launched as an “unfunded mandate,” but in an atmosphere of competing budgetary priorities, agencies have deferred implementation. And people who have implemented it report that just a small percentage of users are authenticating themselves using the credentials.

Many CISOs believe that security can be better served specializing in the usage of two-factor authentication — that’s relatively cheap to implement — and deferring the more costly technique of creating and managing the assured identity and costly card that’s certain to it. The White House has met those requests with an organization “no.” However, so long as secure authentication remains an unfunded mandate, competing for a share of limited funds, other initiatives that rely on secure identities are hard-pressed to transport forward.

Consequently, civilian agency CIOs face a tricky balancing act attempting to implement these three key initiatives, and others. They need to manage the hazards of a safety infrastructure and likewise find the means to fund these security priorities. It’s another reason much of the effort to fortify government IT remains a piece in progress.

Find out how a central authority program is putting cloud computing at the fast track to higher security. Also within the Cloud Security issue of InformationWeek Government: Defense CIO Teri Taki on why FedRAMP helps everyone.

View Full Bio

More Insights