At Cyberscoop’s San Francisco CyberTalks event this past April, Essye Miller, Acting CIO and DCIO for Cybersecurity at the Department of Defense (DOD), raised important points on data security and risk, which government agencies must navigate in procurement. In a security fireside chat with Marianne Bailey, Deputy National Manager for National Security Systems, NSA, Ms. Miller highlighted the fact that government officials must mitigate risk both within their own agency and in the vendor supply chain.
Supply-chain security was a theme at the event. Large agencies like Ms. Miller’s must carefully navigate the procurement process by performing due diligence aimed at preventing vendor-created vulnerabilities. Jeanette Manfra, Department of Homeland Security’s chief cybersecurity official, noted in her address that supply chain vulnerabilities “amount to a digital public health crisis” that the “government and private sector must work together to resolve.”
For this reason, entering the government market presents a number of challenges for software companies unfamiliar with the needs of this space. Federal, state, and municipal agencies have different security requirements and vetting procedures for software services, including cloud based services. A common theme among government agencies is that cloud service vendors hoping to be approved for purchase after a vendor security review cannot rely solely on the security practices of their hosting provider, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). The Shared Responsibility Model put forward by AWS is clear on the idea that both the software provider and the hosting provider have defined accountabilities when it comes to security of a SaaS product.
Research and Track Criteria
In the federal market, cloud vendors are required to gain a FedRAMP authorization in order to sell to government agencies, with a very limited exception for on-premise private cloud deployments. FedRAMP, or the “Federal Risk and Authorization Management Program,” provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Just last month, the FedRAMP office announced its 100th cloud service offering to be approved under the program.
While specific control frameworks like FedRAMP govern the federal market, states have different requirements that may vary by jurisdiction. For example, a state agency may have a specific requirement based on state laws—like the New York Cybersecurity Regulations for financial institutions which became effective last year.
State and municipal vendor security questionnaires can also cover rules based on local regulatory obligations, e.g. compliance with state ethics laws, or enhanced employee screening procedures. Cloud vendors who are either unaware or unable to respond to security assessments covering this type of local requirement will find themselves unable to move forward in the procurement process.
Cloud vendors hoping to serve this market can win by gaining an understanding of what federal and state agencies are looking for when it comes to vendor security practices. For federal agencies, this means understanding the FedRAMP authorization process and reviewing the security control baselines, as a starting point.
State and local agencies often have their own requirements, as noted above, which are sometimes made available during RFP or RFIs. Reviewing examples of posted RFPs can provide insight into what state agencies consider during a vendor security assessment. A cloud vendor able to anticipate government security requirements and implement the required policies, procedures, and controls ahead of time will be better positioned to succeed in a security assessment.
Certification and Culture
For cloud vendors interested in working with state and local government agencies, where there is no central authorization program akin to FedRAMP, it can be helpful to seek external security certifications. Vendors can choose an established security standard or control framework and embed it into operational practices and company culture. Transparency regarding internal governance and security practices along with third-party certifications or testing may help to set up a vendor for success during an agency security assessment.
There are several options when it comes to third-party security assessments, including ISO 27001 and SOC 2 Type II. ISO 27001 is used as a best practice framework for establishing an information security management system (ISMS), and is intended to certify that an organization’s ISMS meets the specified requirements in the standard (a point in time analysis). SOC 2 is used to provide an organization a way to demonstrate that defined security practices are in place and operating effectively. It’s intended to assist an organization report to customers that it has met the established security criteria during the audit period (this is a time-period evaluation, typically one year).
In addition to working towards and achieving relevant security certifications, organizations also need to cultivate a culture of security. During his address at SF Cybertalks, FBI Assistant Director of the Cyber Division Scott Smith noted the importance of creating a culture of security shared by everyone from the intern to the CEO.
Navigating the government market presents challenges for cloud software vendors, especially in the current climate. There’s a heightened awareness around privacy and security given recent high profile data breaches and questionable usage of personal data. Federal, state, and municipal agencies present criteria which require dedicated resources for security planning and implementation. Research, transparency, a solid basis for demonstrating organizational security practices, and an established process for navigating security questionnaires will help smooth the way to success.