Roger Greenwell, the chief information officer, the authoring official and risk management executive at DISA, said the agency is looking to its user community to better understand risk as cloud and agile become standard processes.
“Where we are facing an evolution is the fact that cloud development, agile development methods and the dev/sec/ops type of roles is forcing us to change and be able to rapidly make those decisions, where as many of our processes are almost geared around the more traditional waterfall development where these things occur in sequence: here’s a release of code, doing an assessment of authorization and assessment and all of it takes time,” Greenwell said on Ask the CIO. “You have to be able to change and rapidly make those decisions. That is where automation and technology is going to play a huge role in terms of that actual assess piece.”
Greenwell said applying automation to the development environment will help ensure configuration management and other IT security controls are met, which, in turn, will help inform the risk decisions mission and security experts make.
For Greenwell, calculating and deciding on risk intersects all three of his current roles. He oversees more than 200 systems across DISA and is involved in the cloud security process called the Federal Risk Authorization and Management Program (FedRAMP).
“In times past, everything was focused on the elimination of risk. In today’s world, you can’t eliminate all the risk,” he said. “You have to be able to manage those risks and you have to be able to prioritize those things with which you have a limited staff or tools or capabilities to be able to address. That is one of those things we are really trying to focus on is understanding where the threats are, how do we take that information and make sure we are addressing those key priorities.”
The goal is to make sure DISA is using the most important controls to address the biggest threats and/or to protect the most sensitive data and systems.
Greenwell said number of systems, where they live—on premise or in the cloud—and their capabilities requires a different view of risk and how to mitigate it.
Raising the risk posture across DoD
To address many of these challenges and in the face of continual change, Greenwell said DISA is working closely the Defense Department’s chief information security officer and the broader military CISO community.
“When we look at what we are trying to do, we are trying to bring the community together to say what are those things that are most important, where do we need to channel our resources?” Greenwell said. “I think the community, as a whole, recognizes the risk management framework (RMF) is the right concept. We need to be able to manage risk, but we also need to be able to do this more effectively. Does that mean there is a difference in the way we look at controls? Should we change the way we authorize systems in terms of bringing systems and capabilities on to the network and conduct our testing? There are some working groups occurring in different parts of the community to look at this. We are working with the DoD CIO to figure out how to bring the collective together and leverage that for the good of the department.”
This change in thinking becomes even more important as the military moves more and more of its systems into the cloud and takes on the agile or dev/ops methodology for development.
One approach to addressing the challenges of risk management and the cloud is by improving the authorization process. Greenwell signed out a memo in August enabling reciprocity for clouds at impact level 2 or below that have been approved under FedRAMP.
Greenwell said the services and military agencies do not need to wait for explicit DoD approval to use authorized cloud service providers.
“It does require the mission owners to understand the risk those systems bring,” he said. “As mission owners take advantage of those cloud capabilities, they really are leveraging a provisional authorization because they are using that cloud infrastructure differently than what an original authorizing official may have done. It gives that basis of risk acceptance that has been looked at by that [original] mission owner and providing those artifacts and information to that DoD mission owners to be able to say we understand what the risks are and be able to authorize the use of that cloud service.”
He said the key to reciprocity is trust, and the reason the memo could have a bigger impact than any other attempt to get agencies to share is because the rigor of the tests are clear. He pointed to a recent assessment where DISA, the Air Force, the Army Corps of Engineers and the Defense Logistics Agency worked together to approve a cloud service.
“One of the other areas where we’ve been successful in the area of cloud is we’ve worked with some of the mission partners to do cloud assessments as we move above an impact level 2 to an impact level 4,” Greenwell said. “It’s not just DISA doing that impact assessment, but actually bringing those mission partners and having them participate with us in doing a joint assessment. That has gone a long way toward building a sense of trust between entities.”