Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.
On Air: Federal News Network
Insight by AWS Wickr
How agencies can use secure enterprise messaging, collaboration apps to meet security, compliance requirements
“Having the ability to securely communicate and share information is fast becoming a top priority for federal agencies," said Mike Lentine of AWS.
Federal agencies’ adoption of technologies to support team collaboration and hybrid work environments, including chat, video conferencing, and document sharing, is accelerating. However, when it comes to messaging, employees often default to apps that are already loaded on their phones, whether their devices are personal or government-issued, and whether the apps are approved for work-related conversations or not.
The risks of consumer messaging apps
Today, many government employees use consumer messaging apps to fill the need for official end-to-end encrypted communications. While these apps are free and easy to use, they lack the administrative controls and data retention features agencies need to verify that data is being adequately protected and preserved. This increases organizational risk, and creates problems for agencies when trying to fulfill Freedom of Information Act requests or produce records in an investigation.
When agency personnel and teams are conducting government activities, they must use only approved encrypted services. This ensures that security, privacy and data retention requirements are met, regardless of whether a government-issued or personal device is used.
Specific technical controls must be in place for data that is designated “for official use only,” which means that under FOIA, it is exempt from mandatory release to the public. This includes data that is classified as controlled unclassified information (CUI), which has numerous security categories and must be handled in specific ways based on those subclassifications.
Several rules and regulations intended to safeguard sensitive data impact federal communications, including:
- Federal Information Security Management Act
- Cybersecurity Information Sharing Act
- National Institute of Standards and Technology guidelines for securing government information systems
- Defense Federal Acquisition Regulation Supplement, which sets cybersecurity requirements for Defense Department contractors
Needless to say, the controls and regulations around sharing sensitive federal agency data are complex, and consumer apps do not align with requirements.
Consider the security challenges posed by collaborating with mission counterparts at the tactical edge. On the ground, government employees may consider using consumer apps on their phones for convenience, since they already use those apps in a personal capacity. However, the use of these apps poses security risks, since employees may move to new roles or retire, taking the data from personal apps with them.
Agencies collaborating on sensitive matters need an enterprise-grade messaging app that helps teams safely communicate with internal and external stakeholders by providing security, as well as administrative and compliance capabilities.
Security
End-to-end encryption can protect messages and files that contain sensitive and proprietary data — such as personally identifiable information, protected health information, CUI and mission-critical information — in transit and at rest to decrease the likelihood of a security incident. The application should be accessible on any device and in any environment around the world, including low-bandwidth and austere environments to ensure reliable communications and support mission success.
Administrative control
Administrative functions should allow agencies to add, remove and invite users, and organize them into security groups with restricted access to features and content at their level. Administrators need to be able to authorize certain users to communicate outside of the agency, and restrict file-sharing capabilities. Ephemeral features such as burn-on-read and expiration timers that allow senders to delete a message after it is read, or after a set amount of time offer added security. Blocking-resilient protocols can help direct encrypted traffic around blocking attempts, and deliver covert communications in restrictive environments.
This becomes especially important when allowing teams to collaborate in edge deployments that could exist in contested areas.
For example, Operation Recovery — a nonprofit organization made up of Special Operations veterans, intelligence specialists, medical professionals, immigration experts, refugee organizers and advocates — used AWS Wickr for end-to-end encryption, burn-on-read timers and open access functionality to securely communicate and transfer documents, and support the safe evacuation of 3,500 Afghan allies in the wake of the U.S. military exit from Afghanistan in 2021.
Compliance
U.S. government agencies need security and administrative controls to comply with requirements ranging from the Federal Risk and Authorization Management Program (FedRAMP) and various NIST control frameworks, to the DoD’s Impact Level security controls.
Many agencies are also subject to recordkeeping requirements, such as those that fall under the Federal Records Act and National Archives and Records Administration, as well as records requests related to FOIA and various state sunshine statutes.
While data retention is often thought of as being incompatible with end-to-end encryption, FedRAMP High-authorized messaging apps such as AWS Wickr offer both, helping customers effectively retain messages by providing the ability to retain information in a secure, controlled data store that they manage. No one other than intended recipients has access to the keys required to decrypt conversations or documents, giving organizations full control over their data. Data retention can be implemented as an always-on recipient that is added to conversations, similar to the blind carbon copy feature in email. The data-retention process participates in the cryptographic key exchange, allowing it to decrypt messages. The process can run anywhere: on-premises, on an Amazon Elastic Compute Cloud (Amazon EC2) instance, or at a location of the customer’s choice.
“Having the ability to securely communicate and share information — whether in an office or out in the field — is fast becoming a top priority for federal agencies,” said Mike Lentine, senior manager for federal civilian homeland, enforcement and transportation at AWS. “Collaborating securely through messaging, calling, file and screen sharing with end-to-end encryption, while also meeting requirements is imperative. Solutions that give government customers not only the security and privacy of end-to-end encryption, but the control they need to protect and retain sensitive and regulated data will help them achieve their missions.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
