The Trump administration’s new requirement for agencies to take a risk-based approach to cybersecurity may not be a heavy lift for at least one agency. The U.S. Trade and Development Agency has been heading down the path toward this risk-based approach for the past several years.
Benjamin Bergersen, the chief information officer of the U.S. Trade and Development Agency, said when the WannaCry ransomware attack hit computer systems worldwide, USTDA didn’t flinch.
“We had a check on WannaCry and I said, ‘yeah, we patched that a month ago,’ and then we double checked when everyone else got it and we were fine,” Bergersen said during an interview on Ask the CIO. “So there is very tight awareness at the leadership level about what’s going on and what’s the risks to the agency and how do we protect ourselves against those things.”
USTDA is using a host of documents and information sources to understand the risks it’s facing.
Bergersen said frameworks from the National Institute of Standards and Technology, including special publications 800-53 (security and privacy controls), 800-37 (risk management) and 800-39 (managing information security risk), as well as the plan of action and milestones template from the Federal Risk Authorization Management Program (FedRAMP).
“We also are using the framework to improving critical infrastructure cybersecurity, and that’s called the NIST framework,” he said. “We are using something that I developed about 25 years ago, not using the government standards, but just because it was a good idea to do, is a closeout package back when I was in the telecom industry in upstate New York. When you create a service or new server or new system, you want to close out the project and that ties right into your project management and those types of controls.”
The closeout package includes everything from a run book for how to operate and maintain the new service or server, training for both the IT staff as well as the end user, a standard configuration report, which is based off of the NIST and Defense Department standards, and a risk assessment report.
Bergersen said the risk assessment report details the strengths and weaknesses of the system based on a vulnerability management scan. He said the mission owner and the engineers have a better idea of how the system’s shortcomings and can go back to reduce the risk of that particular system or hardware.
“We integrate a risk assessment report and risk acceptance document into every single project we do as part of the closeout package. That is a policy that we have based on my personal experience going back 25 years,” he said. “It works great because you are delivering a service and tying up all those loose ends—does the customer know about it? Is it communicated out? Has it been tested? Are the features validated? Has everyone been trained on it from the help desk to the users to the engineers?”
Bergersen said he’s happy to share the closeout package with other federal CIO offices.
Another way Bergersen said USTDA is trying to reduce the risk of cyber attack is by taking advantage of the Homeland Security Department’s continuous monitoring-as-a-service under the continuous diagnostics and mitigation (CDM) program.
He said USTDA is taking advantage of the shared service as the agency moves offices and reduces its data center footprint.
“The CDM system integrates with your local environment and that is very robust. What I’m excited about seeing is how you integrate all your different solutions. We are in multiple different shared service providers with our financial systems, our email systems, our website as well as our local systems. So that will be a challenge because I know each one of these are protected by CDM, but can you show me an integrated picture of all my different services from different agencies as well as from different vendors on a dashboard, back to me at USTDA.”
Bergersen said he’s seen an example of the upgraded dashboard from DHS. He said he’s most excited about how the tool will integrate reports from multiple cloud providers.
Bergersen said the risk management approach cuts across all of his priorities, starting with the cloud.
He said USTDA already has moved its email and its website to the cloud, and soon will move its network storage, the collaboration portal and finally its legacy applications to outside service providers.
“For our mobile users, we are implementing synchronization for offline use. So that helps if we are in our local offices and someone tears up the connections for power or air conditioning in our building, we still have our data on our encrypted laptops and desktops available. The same thing for our portable phones and laptops for our global users, so when they have connectivity to the cloud they can synchronized and it’s all done in the background. When they do not have connectivity, they can work locally. That also helps with patching and updating in cybersecurity.”
Along those same lines, Bergersen said USTDA wants to take advantage of shared services as much as possible as part of his focus on efficiency and effectiveness.
He said the agency moved its financial management system to a shared service provider and is saving $500,000 to $750,000 a year.