The Centers for Medicare and Medicaid Services is in the midst of an “all-out assault” to streamline how it approves the security of software and applications, and the agency is modeling its approach after the Air Force’s “Platform One,” according to its chief information security officer.
CMS CISO Robert Wood said the agency is taking on the “burdensome friction” of slow authority-to-operate processes and other security policies from multiple angles.
“We are not going to solve all of our problems with one big project,” Wood said during a Feb. 18 webinar hosted by the ACT-IAC Cybersecurity Community of Interest. “Rather we are going to attack it on multiple sides and sort of swarm around it.”
Wood said the initiative has taken on increased urgency as CMS is at the center of national initiatives to respond to COVID-19, the opioid epidemic and other healthcare crises.
“We need to be able to change as an institution in the healthcare arena faster, and more stably, more than ever,” he said.
The agency’s first big effort, he said, is centered on a “rapid ATO” process to help application development teams build their system security plans faster. CMS is using reusable control descriptions and pre-written control statements for vetted technologies, like identify management, so teams don’t have to start their ATO with a blank slate every time.
Eventually, Wood said CMS wants to incorporate Software Bills of Materials and other asset identification tools into the process “where we can automatically identify components of a system and then pre populate a lot of that stuff for you.”
A second, related effort is developing a platform-as-a-service for CMS software development. Wood said the agency is modeling its effort after “Platform One,” the Air Force’s enterprise software development environment.
“We’re not trying to deploy Kubernetes and containers on submarines or airplanes while they’re in flight,” Wood noted. “So we have a lot of flexibilities that they do not have when it comes to the way that we do deployments.”
Like Platform One, Wood said CMS is building its platform on top of the open-source container orchestration system Kubernetes.
He said CMS has established a “functional prototype” of the software development environment, and he expects within the next two months that it will reach the stage of “minimum viable product” with two applications running on it.
The idea is to embed the rapid security assessments process within the development environment, allowing teams to roll out new software builds more rapidly.
“There’s a lot of teams at CMS that are stuck in this place of deploying monthly or quarterly, and that’s a good thing for them,” he said. “There are some teams that do deploy daily. But it’s not the norm right now. It’s the exception, and we hope to be able to inverse that.”
With the current process, he said, speed is not incentivized in many ways.
“Continuously deploy your application, continuously improve your application, which is something that doesn’t really happen because change is viewed as a bad thing, because you have to do security impact analyses, you have to maybe even go through a new ATO if you’re redesigning things significantly,” he said. “There’s all of this compliance process that ends up becoming the focus of development teams, which is definitely not where we want people spending their time and energy.”
Wood said CMS is also attempting to reform its security operations in a bid to streamline an approach that he called a “bottleneck” for development teams trying to access data to patch systems, respond to incidents and carry out other mission-critical functions.
“We are building on a data lake platform,” he said. “We’re using that as our single source of truth, because we can build really, really rich governance rules around access and reporting into that.”