Trust between software development and security teams is one of the major challenges facing the Federal Emergency Management Agency (FEMA) as the agency modernizes cloud applications and services via its software development lifecycle (SDLC).
FEMA CISO Gregory Edwards believes there should be security requirements as well as functional and operational requirements in place at the beginning of the SDLC. Sometimes the SLDC begins without security standards baked into the development process, which slows down the entire cycle.
“It’s a trust factor,” Edwards said at ATARC’s Fostering Effective DevSecOps event last week. “The programs have timelines and milestones, and it’s quite difficult sometimes to wedge in the security testing that’s necessary in those milestones — but it is essential. So, what we find is that we get to a point where the software has been developed and it has been tested, but without any security oversight.”
Sometimes, this means scrapping the software and starting over with the right security requirements.
Although collaborative sessions with industry help, Edwards said IT leads at FEMA have built an IT roadmap to monitor cyber risks and threats and ensure software development meets security standards.
FEMA’s IT modernization fund also feeds the agency’s efforts to implement the IT roadmap.
“We have our plan for the next four to five years based upon what we’ve seen this year from the research,” Edwards said. “We’re identifying those tools, techniques, capabilities and services across a roadmap that we plan to implement fully understanding that some will mature, some will not. But we also put in place some prototyping, some testing of that capability along the way and if it proves itself out then of course, we will continue it.”
Lack of communication around security needs has been another big obstacle for FEMA, especially during the COVID-19 pandemic.
After reviewing the agency’s internal telework policy, FEMA IT leaders realized they needed to scale certain telework capabilities, like improving employees’ ability to print from home. Printing from home was a challenge initially because FEMA needed to be aware of household assets connecting to the FEMA network and their security risk profiles.
“We had to change our mindset a little bit … you must know what it is before you can secure it or control it,” Edwards said. “We worked very, very hard to get access to all of the assets to know that they are there and then we had all of these security controls that we put in place to be able to monitor and ensure they are locked down.”
Another security challenge for FEMA is staying on top of fluctuating compliance regulations.
FEMA is currently managing more than 100 programs through the SDLC that are in different stages of compliance.
“We chase the numbers, but at the end of the day we’re not going to achieve 100% in terms of compliance. The federal regulations change and it’s not worth your time to try and resist those, and so we embrace them and we set up some plans of action and milestones,” Edwards said.
FEMA relies on the age-old vulnerability management system to help them gauge where they are in terms of security and pull metrics.
“We are also interested in seeing how we can leverage those and further automate those processes and get more enriching information so we can better manage the overall environment,” said Edwards.
Edwards also believes all federal agencies should keep the “secure by design” concept as the driving principle of software development.
“We have to find a way — as the applications are being developed and as you win contracts and efforts with our developers — [to] truly work together to start in the beginning on the [security] requirements end and don’t let us force you into the stance of having a schedule that is unrealistic that does not include security,” Edwards said. “It sets us all up for a bad ending.”