NGA wants 24-hour cloud ATOs

Right now it takes about six months for a cloud provider to get its service cleared for federal government use – and that is on the fastest of fast tracks.

To the spies at the National Geospatial-Intelligence, however, that feels like super slow motion.

Jason Hess, the NGA's chief of cloud security, is looking to dramatically reduce the time it takes to secure authority to operate certification for cloud services to a single day.

The agency, Hess said at the Cyber Resilience Summit on March 21, is moving most of its IT operations to the cloud and looking to "re-invent security." The idea is to take advantage of cloud flexibility to tear down the agency's IT architecture and re-build it every day, so that would-be attackers will confront a confusing operating environment and enjoy limited time-on-target.

So far, using software and DevOps development techniques, Hess said his agency has currently managed to get ATOs within seven days.

NGA's "fast architecture churn," said Dr. Ron Ross, fellow at the National Institute of Standards and Technology, "is something to watch" in protecting networks and data in the coming years.

The NGA approach isn't for everyone, but speakers at the conference agreed that just installing technology at the edge of a network to ward off suspect traffic is obsolete.

"Cybersecurity is something you do, not something you buy," said Dr. Dale Meyerrose, a retired Air Force major general, who was also the first appointed CISO for the intelligence community.

"We lie about what we can do" with cyber security capabilities, he said. The federal government in general does not compare favorably to industry in detecting cyber intrusions on networks, and cybersecurity programs, with their response teams and other reactive elements, are too passive. "We need a hunt and destroy attitude," Meyerrose said, and an emphasis on integrating cybersecurity into agency missions rather than thinking of it as a separate effort.

At NIST, Ross is pushing an integrated approach. The standards agency's NIST's 800-160 security engineering guidebook that was issued last November urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.

New approaches must also be developed to get people to live and breathe cybersecurity as part of their agencies mission, the speakers said.

"I don't want my whole office to be made up of cybersecurity PhDs," said Commerce Department acting CIO Rod Turk, acting CIO at the Commerce Department, but "I can't present to the CFO on why I need a cyber program" if no one on the staff can explain in a business case how the program will translate into its impact on budget an overall agency mission.

Turk added that more innovative approaches to encouraging cybersecurity best practices are better done without embarrassing employees. "I'd rather put a sign in the hallway" that the agency was preparing to do an anti-phishing campaign with faked emails. The cybersecurity remedial technique has been run by other agencies as a "sting" operation in which employees that click on fake phishing email sent out by the IT department.

"I'd rather an anti-phishing campaign be 'here's what you look for'" in phishing emails, he said. "It's not a 'gotcha' thing. I want them to be thinking about it. Information is far more important than embarrassing them."

Turk also briefs agency employees weeks ahead of international trips to countries who are notorious for phishing, explaining how and when they could expect to be phished. "That happens like clockwork 30 days ahead of a trip," he said.