On September 30, Microsoft received a provisional authorization to operate (ATO) for its Windows Azure Public Cloud from the Joint Authorization Board (JAB) of the Federal Risk and Authorization Management Program (FedRAMP). Windows Azure offers infrastructure-as-a-service (IaaS), platform-as-as-service (PaaS), and data storage and management services to commercial and public sector clients. In order to meet FedRAMP requirements, Microsoft has designated multiple U.S.-based data centers with corresponding network and hardware infrastructure and application services, supported by U.S. personnel and protected by security measures that adhere to federal security policies, standards, and other requirements.
For its FedRAMP authorization, Microsoft chose to follow a process under which its security was assessed by SecureInfo, one of several third-party assessment organizations (3PAO) authorized by the JAB to help cloud service providers meet FedRAMP requirements and to perform FedRAMP evaluations and make recommendations to the JAB on the extent to which each provider complies with FedRAMP. The provisional authorization (P-ATO) granted by the JAB to Microsoft is not tied to any specific use of Azure services or to any individual federal agencies. Agencies may choose to evaluate projects or solutions leveraging Windows Azure to make their own authorization decisions or opt to accept the P-ATO as sufficient evidence that appropriate security requirements are being met. Vendors or solution providers looking to serve federal customers may find it valuable to use Azure to satisfy policies in place at many agencies that external service providers comply with federal security standards.
Last week, Amazon announced that it had received separate agency authorizations to operate (ATO) from the U.S. Department of Health and Human Services (HHS) for two of its Amazon Web Services cloud computing offerings, and that those cloud services are now compliant with security requirements in the government’s Federal Risk and Authorization Management Program (FedRAMP). The authorizations to operate are for the AWS GovCloud environment – a government community cloud offering infrastructure-as-a-service (IaaS) specifically to U.S. government customers – and for the AWS US East/West environment, a public cloud available to commercial and public sector customers that also delivers IaaS using entirely U.S.-based data centers and infrastructure.
The FedRAMP designation, coupled with the ATO actions by HHS, gives other federal agencies the option to streamline their own authorization decisions for use of the AWS environments. Generally speaking, other agencies will still need to evaluate the security control documentation provided by Amazon and grant their own agency ATOs before using the AWS environments to host systems, but the fact that Amazon has already implemented security controls required under FedRAMP and undergone an agency ATO process should greatly reduce the level of effort required for other agencies (or even operating divisions within HHS) to issue their own authorizations.
The National Institute of Standards and Technology (NIST) has released the final version of its Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. The 800-53 framework, which is required for all federal agencies under Federal Information Processing Standard (FIPS) 200 and more generally under the provisions of the Federal Information Security Management Act of 2002 (FISMA), specifies security controls to be implemented for federal information systems. This most recent update, the first major revision in nearly four years, includes many newly added controls and implementation standards intended to address access control, identity management, configuration management, data protection, and newer hosting models such as cloud computing. It also for the first time includes a set of controls and enhancements specifically focuses on privacy, and expands the set of program management controls first introduced with Revision 3 in 2009.
Federal agencies are not likely to move quickly to migrate their internal security practices from Revision 3 to Revision 4, in part because the corresponding NIST guidance on security control assessment (Special Publication 800-53A) has not yet been updated to match the revised control framework. It may be a year or more before the assessment guidance is updated, giving many agencies a justification for sticking with the prior version of 800-53. The adoption of Revision 4 is likely to be driven in part by a separate but parallel effort of the Joint Task Force Transformation Initiative Working Group (which includes representatives from civilian, defense, and intelligence agencies) to unify security control frameworks with 800-53 and system assessment and authorization procedures prescribed in Special Publication 800-37 Revision 1. Over the past 5 years, revisions to 800-53 have been strongly influenced by requirements and preferences coming from military and intelligence communities, so as these non-civilian agencies transition to government-wide processes and standards they will presumably use the latest version of 800-53 to guide their activities.
The ongoing analysis of the crippling if short-lived computer attack last week against South Korean financial institutions and media companies highlights some of the key difficulties facing the United States and other nations trying to establish policies, procedures, and offensive and defensive cyber-security capabilities. Immediate reaction pointed suspiciously to North Korea and China as the most likely perpetrators of the attack, with initial news reports citing Chinese IP addresses identified as the source of the attack. Subsequent analysis resulted in a less clear picture, as security analysts suggested that certain characteristics of the attack made it appear to have come from a well-resourced attacker such as a government-sponsored program but retreated from earlier conclusions attributing the attack to China.Given current tensions between South and North Korea, looking by default to the North is understandable, and concerns over state-sponsored cyber-espionage have intensified in recent weeks, driven in part by the publication in February of a detailed report from security firm Mandiant providing the results of a technical analysis of Chinese government-sponsored spying activities.
The inability to pinpoint the source of a major attack with any great degree of confidence presents a substantial risk to cyber defense operations such as the U.S. Cyber Command (USCYBERCOM), particularly as they shift from largely defensive or retaliatory positioning to a greater emphasis on offensive capabilities. The technical ability to disable an adversary or to impact the computing or critical infrastructure of another nation is less an issue than knowing with some certainty that the targets of such activity is in fact the adversary in question. Anyone with even a rudimentary knowledge of network protocols and behavior understands the relative simplicity of masking an online identity by using a falsified source IP address, to say nothing of the potential that malicious activity accurately traced to a computer or other device in another country may have been compromised to serve as a launching point for attackers in entirely different locations. In the case of the South Korea attack, the IP address originally linked to a Chinese source turned out to belong to a computer at one of the targeted companies. South Korean officials never explicitly blamed China for the attack, suspecting instead that North Korea was responsible for the attack, possibly assisted by the Chinese or at least using infrastructure that belongs to China. It is not yet clear what role, if any, the U.S. government will play in investigating the South Korean attack, although the National Security Agency has long called out China among key foreign governments responsible for such attacks.
A news story in today’s Washington Post calls attention to a recent audit report from the Government Accountability Office, released last month, that identified numerous weaknesses in security controls at the U.S. Census Bureau that pose risks to the bureau’s ability to properly safeguard the information it collects. The weaknesses GAO found raise legitimate concerns about protecting the confidentiality of personal information on U.S. residents and the integrity of that information. Given the vast amount of personal information the Census Bureau collects and maintains and the reliance on the government of census data to determine legislative boundaries, allocate federal funding for social programs, and shape policy, the lack of effective security controls is both troubling and a bit surprising. GAO emphasized weaknesses in access controls, where it identified six distinct issues, and also pointed to operational and programmatic problems in information security management. The audit findings related to access controls included the following issues:
Other cited weaknesses include those in patch management and device configuration procedures, contingency planning, in the bureau’s implementation of its information security program. The findings of deficiencies within the security management program help explain a lot of the more detailed weaknesses addressed in the report. GAO noted that the Census Bureau is in the process of implementing a risk management program consistent with current NIST guidelines to federal agencies, but it seems the bureau has not moved beyond a system-specific view of security to better incorporate an enterprise-wide perspective and, within system-level procedures, often failed to fully document security controls, control assessments, weaknesses and vulnerabilities, and remediation plans. Indeed, the 13 recommendations for corrective action offered by GAO can be interpreted in the aggregate as an admonishment to follow existing standards and guidance to federal agencies to which the Census Bureau is already supposed to be adhering. The official bureau response to the audit findings, included as part of the published GAO report, suggests minor changes undertaken to achieve compliance but give no indication that the bureau is taking any steps to improve its information security program. This offers little reassurance to members of the public that any meaningful improvement is forthcoming, either in security posture of the Census Bureau’s computing environment or the protection of personal information entrusted to the bureau’s stewardship.