How to Boost Cybersecurity Without Losing Hybrid Cloud Benefits
The Defense Department’s CMMC program and NIST guidance are helping agencies reap the benefits of hybrid cloud without sacrificing security.
Hybrid cloud adoption is forcing many agencies to take steps to enhance their cybersecurity posture. While hybrid cloud can reduce costs and improve scalability it can also put agency infrastructures at greater risk for malicious cyberattacks.
A hot topic right now surrounding hybrid cloud is the Defense Department’s Cybersecurity Maturity Model Certification (CMMC), which evaluates Defense Industrial Base (DIB) companies’ cybersecurity practices to ensure compliance with DOD requirements.
“We need to try to help our industrial base get to good with cybersecurity because we want to make sure the warfighter has the best capabilities on the ground and that they’re protected,” said DOD DIB Cyber Chief Stacy Bostjanick during GovCIO Media & Research”s CyberScape: Insider Threats event Thursday in Tyson’s Corner, Virginia.
DOD is working with cloud service providers to develop an inexpensive way for companies to guard their data and their environment while complying with CMMC.
“From the cloud perspective, we’re hoping to be able to leverage it, but it can provide the core so that you don’t have to buy the gates, guns and guards to make sure your system is good,” Bostjanick said. “But you also have to have the controls to protect that data now. Do you put that in the hands of the cloud services provider to protect for you, or do you do that on your own? That’s something we’ve got to look into.”
The National Aeronautics and Space Administration (NASA) quickly adopted the National Institute of Standards and Technology (NIST) Risk Management Framework 853 Revision 5 to better secure legacy IT architectures while shifting some systems to the cloud. According to Joe Foster, cloud computing program manager at NASA, the agency is now moving to another NIST security platform called Open-Source Control Assessment Language (OSCAL) to meet cybersecurity compliance requirements.
“It’s basically compliance-as-code, we’re going to bake in all the compliance checks as part of the Rev 5 transition by using OSCAL so … we will give people a GitLab area and go write your controls in this OSCAL markup language,” Foster said during the event. “It will be interesting times going forward and we think automating will ultimately lead to the best results for us.”
Michael Epley, chief architect and security strategist at Red Hat, believes organizations should focus on zero trust if they want to handle common security controls across different environments in a consistent and cohesive fashion.
“I always focus on zero trust — that’s a big passion of mine. Zero trust is as an architectural framework for managing across those different environments and through that management attracting more value from those different cloud postures you might be employing,” Epley said at the event.
Joseph Fourcade, lead cybersecurity analyst at the Department of Veterans Affairs’ Enterprise Cloud Service Office, said its vendor partnership has been key to keeping data secure.
“We do a project where we bring vendors in as a joint effort, they become a part of our team. We walk with them through the whole process and make sure they have everything in place to help get through compliancy,” Fourcade said during the event. “We then guide them in the right path for what’s going to be required to make sure we have the security vulnerability visibility into their projects.”
Bostjanick said everyone including industry should keep security top of mind because cybersecurity is a shared responsibility.
“My dream is for CMMC is not to be needed. What I want is our industry partners and our nation to all be thinking ahead and being out in front it and think about what’s the next possibility and fabric that I could be attacked upon and taking those steps to protect ourselves,” Bostjanick said. “We need to be a thinking nation and paying attention to what’s happening and working hard to get there.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Looking Back at the First Trump Administration's Tech Priorities
In his first term, Donald Trump supported cybersecurity, space policy and artificial intelligence development.
4m read -
Securing the Expanding Attack Surface in Cyberspace
Agencies undergoing digital transformation face a more intricate threat landscape and a wider threat target for adversaries looking to exploit vulnerabilities. This panel dives into strategies agencies are undertaking to safeguard these complex environments, including zero-trust architecture, vigilant monitoring and robust cybersecurity training.
30m watch -
Elevating Cybersecurity in the Intelligence Community
The Intelligence Community is developing strategies to protect data and strengthen resiliency against emerging cyber threats.
30m watch -
AI Revolutionizes Cybersecurity by Doing What Humans Cannot
Leaders from NSA, GAO and industry say that artificial intelligence can augment the cybersecurity workforce, but the work must be auditable and explainable.
4m read