CMS CISO Outlines Vision for Agency Security

Many may find that cybersecurity stymies innovation and the ability to progress mission needs. But Centers for Medicare and Medicaid Services CISO Robert Wood is building a cybersecurity strategy for his agency that takes a holistic approach to security and focuses on mission enablement.

Wood spoke at CMS CyberWorks last week to highlight his vision, strategic goals and future plans for CMS. Underlying all these plans is intention to build resiliency, flexibility and agility.

“In order to better serve the people that we’ve been entrusted to serve, we need to be more flexible, we need to be more agile, and we need to decrease the barrier to entry,” Wood said. “Our vision is all about enabling CMS to be able to move quickly, to be able to unlock and unleash this innovation that exists in all of these pocks around the agency … and really focus on resilience over just hardline security.”

To realize this vision, Wood presented four strategic goals for the agency’s information security program. These are to:

• Embrace a risk-based program management approach
• Unleash innovation
• Remove, simplify, and automate
• Build a resilient security posture

The risk-based program management involves having policy that supports flexibility and risk-based decision making in a streamlined process. This, he added, requires different components to come together in an aligned manner.

“It comes down to having good tools to assemble data, to present data in a meaningful way to the people who need to make the decisions — not just myself, but to people who are dealing with code, analysts who are reading about responding to … an issue or to program owners who are deciding to accept risk or not. And it also comes down to culture,” he said.

To realize the second strategic goal, unleashing innovation, Wood said it is critical to decrease security burden. This involves simplifying the security process, incorporating more automation and connectivity.

“Why are you entering all of the security controls again and again and again and again for these big, inheritable pieces of technology that are shared across the enterprise?” Wood said. “It doesn’t make any sense, so we need to find ways to decrease the barrier to entry to do security right and get people working faster with less friction.”

The third goal piggybacks off the second goal — they both aim to decrease burdensome security processes and increase productivity. The third goal, to remove, simplify and automate, is, in Wood’s eyes, about reducing the burden on individual people. He said having more process, policy, people and boxes to check slows down efficiencies, so cutting away at them is key to realizing agility and flexibility.

The reliant security posture (fourth goal) takes on a more holistic approach. Wood said that this involves looking at the entire ecosystem, including people, processes, IT systems, devices, endpoints and data, and considering an integrated, adaptable approach.

“You have to be thinking holistically about your detection and your response, and even those things need to be able to move fast and be adaptable, so investing more heavily in things like SOAR, in connected log aggregation, so that we can have more security visibility across different systems,” Wood said. “When that event happens, we can respond to it automatically.”

CMS is working toward meeting these goals and its vision of enablement with a few different plans and projects. One of these is Wood’s “Batcave,” CMS’s continuous authorization and verification engine.

“We’re extending all of the amazing work that has happened in both our cloud engineering teams, as well as cloud engineering teams across the federal government, and taking that and trying to build on top of it a platform-as-a-service model,” Wood said. “We’re focusing on platform as a service to try to strike the right balance for developers and product owners on flexibility for what you want to build, how you want to build frameworks you want to use and standardize on the things that don’t matter as much.”

Wood is also trying to develop a rapid authority to operate (ATO) process at CMS, shifting from a point-in-time, paper-based ATO to continuous ATO “backed by real security,” Wood said.

The final effort is building bidirectional community engagement across CMS, federal government and security communities. Wood said he wants to create an environment to share insights and observations and share them with health care and technology organizations.

Wood added that community engagement also means investing in moving engineering into an open-source development environment and tapping into community ideas with a crowd-sourcing model. He said that these approaches can help develop solutions to common problems across the security industry, such as third-party risk management.

“As we’re trying to rethink this, making sure that we are collecting opinions on how others are doing it, what their pain points are and what we learn — we want to share what we build, we want to share out, and so hopefully we can collectively move this industry forward toward a better way of doing third-party risk management because it’s a problem that everyone in this industry shares,” Wood said.