A New Model to ATO: Agile Cybersecurity Engineering. Overcome Slow, Intermittent Authority to Operate Requisites with Continuous Monitoring

Similar documents
A New Model to ATO: Agile Cybersecurity Engineering

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

5 Steps to Government IT Modernization

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

White Paper. View cyber and mission-critical data in one dashboard

The University of Queensland

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation

Data Governance Quick Start

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Ready for Scrum? Steve Hutchison DISA T&E

DELIVERING MISSION BASED OUTCOMES TO THE INTELLIGENCE COMMUNITY SINCE 2002 MISSION-DRIVEN SOLUTIONS 1

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

Accelerate Your Enterprise Private Cloud Initiative

Sustainable Security Operations

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

The Perfect Storm Cyber RDT&E

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

RISK MANAGEMENT FRAMEWORK COURSE

Risk Management Framework for DoD Medical Devices

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Your Challenge. Our Priority.

STRATEGIC PLAN

SIEM: Five Requirements that Solve the Bigger Business Issues

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

VMware Cloud Operations Management Technology Consulting Services

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Smart Data Center Solutions

Closing the Hybrid Cloud Security Gap with Cavirin

ALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT

Health Information Technology - Supporting Joint Readiness

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

IT-CNP, Inc. Capability Statement

Vulnerability Assessments and Penetration Testing

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

THE POWER OF TECH-SAVVY BOARDS:

THE AUTOMATED TEST FRAMEWORK

Will your application be secure enough when Robots produce code for you?

The NIST Cybersecurity Framework

Supporting the Cloud Transformation of Agencies across the Public Sector

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

Information Security Continuous Monitoring (ISCM) Program Evaluation

TEL2813/IS2621 Security Management

Veratics, Inc. Overview. Service Disabled Veteran Owned Small Business

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Cybersecurity. Securely enabling transformation and change

Solutions Technology, Inc. (STI) Corporate Capability Brief

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Healthcare IT Modernization and the Adoption of Hybrid Cloud

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Organizing for the Cloud

Tripwire State of Container Security Report

Implementing ITIL v3 Service Lifecycle

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

INTELLIGENCE DRIVEN GRC FOR SECURITY

THE TOP 5 DEVOPS CHALLENGES

Medical Device Cybersecurity: FDA Perspective

TRIAEM LLC Corporate Capabilities Briefing

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

Dell helps you simplify IT

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

SD-WAN. Enabling the Enterprise to Overcome Barriers to Digital Transformation. An IDC InfoBrief Sponsored by Comcast

locuz.com SOC Services

NC Education Cloud Feasibility Report

IT Risk & Compliance Federal

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

I D C T E C H N O L O G Y S P O T L I G H T. V i r t u a l and Cloud D a t a Center Management

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Struggling to Integrate Selenium into Your Ice Age Test Management Tools?

NCSF Foundation Certification

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

I D C T E C H N O L O G Y S P O T L I G H T

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

DIGITAL INNOVATION HYBRID CLOUD COSTS AGILITY PRODUCTIVITY

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Government IT Modernization and the Adoption of Hybrid Cloud

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Security by Default: Enabling Transformation Through Cyber Resilience

align security instill confidence

Predictive Insight, Automation and Expertise Drive Added Value for Managed Services

RiskSense Attack Surface Validation for IoT Systems

THE STATE OF IT TRANSFORMATION FOR TELECOMMUNICATIONS

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Bringing DevOps to Service Provider Networks & Scoping New Operational Platform Requirements for SDN & NFV

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Smart Data Center From Hitachi Vantara: Transform to an Agile, Learning Data Center

Accelerating Digital Transformation

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Cyber Resilience. Think18. Felicity March IBM Corporation

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

RSA NetWitness Suite Respond in Minutes, Not Months

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Transcription:

A New Model to ATO: Agile Cybersecurity Engineering Overcome Slow, Intermittent Authority to Operate Requisites with Continuous Monitoring By James Bowlin, VP Cyber Security Engineering, NCI, Inc. 11730 PLAZA AMERICA DRIVE RESTON, VA 20190 OFFICE: 703-707-6900 NCIINC.COM

Five Principles to Help Security Keep Pace in an Agile and DevOps Culture Federal agencies are increasingly adopting Agile frameworks and DevOps methodologies to accelerate software, system and application development, aiming to achieve the same benefits as commercial organizations: faster time to market, lower costs and more efficiencies. Moving away from traditional Waterfall models to more dynamic approaches centers on more rapid, iterative development. DevOps brings about an even higher level of continuous integration and delivery benefits. A recent MeriTalk survey, found 78 percent of federal respondents see DevOps as a means to help their agency innovate faster responses and services, which is a boon for keeping up with evolving user requirements and needs. Federal DevOps Project Spotlight Across the Department of Defense (DoD), operating divisions such as the Defense Health Agency (DHA) traditionally have been known to run systems development lifecycles (SDLC), but now are working under more Agile- and DevOps-like phases. For DHA, this is helping it keep pace with its major rollout of GENESIS, a commercial electronic health record (EHR) product by Cerner that is continually being updated and enhanced. Agile and DevOps methodologies are widely embraced at the Department of Veterans Affairs (VA), which is aiming to more rapidly service the interest of veterans by leveraging a microservices application architecture through some pilot programs, such as the Veteran-focused Integration Process (VIP) initiative. The Centers for Medicare and Medicaid Services (CMS), working with the U.S. Digital Service (USDS), recently created a streamlined process for procuring Agile IT solutions to accelerate higher quality and valuebased healthcare services under a new blanket purchase agreement (BPA) called Agile Delivery to Execute Legislative Endeavors (ADELE). The General Services Administration (GSA) houses 18F, an innovative shop created to assist agencies with building and fixing technical solutions using more Agile and open methodologies even using it to set up and manage its own Agile BPA. As agencies are embracing this evolution, they also are facing challenges with regard to incorporating security into Agile development and production cycles. These agencies often find their current security processes, workflows, and team structures are in conflict and cannot keep pace with the Agile and DevOps culture. The gains in cost, schedule and performance are overshadowed by the inability for cybersecurity professionals to adapt to fast-paced continuous improvement release cycles. Achieve More Frequent ATOs with Continuous Monitoring The idea of discovering defects and vulnerabilities more frequently should not be shied away from as a system owner or organization. Instead, the inherent nature of more iterative development and continuous monitoring bears more opportunity to uncover and mitigate vulnerabilities with higher frequency. The idea of continuous monitoring a fundamental tenet of DevOps makes it a more

fluid, ongoing timeline to achieve a higher level of security for systems and system of systems. The risk management framework (RMF) is very adaptable and allows for seamless integration into Agile methodologies. The National Institute of Standards and Technology (NIST) 800-53 controls and enhancements are constantly monitored and verified as well as major updates at least once every three years. Moving to secure DevOps facilitated by Agile, automation and lean management techniques, helps agencies keep their systems up-todate and accredited at the pace of innovation itself. And, this can be further enabled by virtualization of the host, network and storage systems, plus the advent of cloud and cloud-like utility infrastructures of low-cost massive capabilities. NCI provides five principles to integrate cybersecurity into Agile and DevOps environments NCI has identified five guiding principles for agencies to integrate and implement security into Agile and DevOps environments to achieve value securing code under high-tempo development. Principle #1 Bake-in Security During Requirements Elicitation Our desire and ability to innovate is outpacing the speed with which security is being embedded into the hardware and software design process. Too often, security requirements are treated as an afterthought when gathering and documenting system development requirements. Quite often, even when security is a consideration, the security requirements are typically written in such broad brush strokes that do not specifically speak to the design or development functions set forth to be useful to the end users. Peppering in security requirements after development leaves the chance of the application and systems being at risk from origin rendering them ineffectual. The concept of baking in security at the IT development level is gaining traction. However, secure design and development is a long way from being the golden standard. In mission critical industries such as military operations, healthcare and financial transactional systems, the need to implement and assign a lead security engineer to help identify security requirements either in one-on-one interview sessions or as part of larger brainstorming group workshops is increasingly more imperative. To be more integrated and granular; this role should be the counterpart to the chief engineer or lead engineer. Creating a cochair leadership structure feeds a commitment to both functionalities and includes security. The benefit will be a more realistic and tightly integrated requirements package based upon RMF or NIST security requirements and objectives that can serve as the foundation for traceability. This model also will continue reassessing security control processes at every release to ensure accuracy and validity of the control measure. Principle #2 Assign Security Engineers to Scrum Team Rosters It still is not uncommon to find IT engineers and cybersecurity teams segregated from one another, especially at the federal level. Cybersecurity always will be a top priority for leadership, but disparate groups will bring diverse views of the challenges that agencies face

securing systems and program milestones. In an Agile environment, development Scrum teams aim to work more closely with, say, leadership or cross-functional departments. The security team shouldn t be treated any differently. Pulling in security once a product has been developed or deployed may work in traditional Waterfall models, but falls flat in DevOps-minded culture. A core benefit of DevOps is continuous monitoring Part of a Scrum team should include software and system security engineer leads and specialists, whose responsibility is to translate product security requirements into user stories (working alongside the Scrum master, technical lead and program manager). They will manage the user stories, perform tasks as required to deliver user story value, and propose and implement new technologies and processes to satisfy requirements. By forcing closer collaboration between security and development, Scrum teams will gain more opportunity to receive and maximize feedback from various perspectives. This structure will help everyone make more informed planning goals and further cultivate continuous improvement inclusive of dynamism, focus, and transparency to project planning and implementation. Principle #3 Track Vulnerabilities as Defects A core benefit of DevOps is continuous monitoring. When looked at through the security lens, agencies can continually assess, monitor and detect security posture at the source code level identifying threats and vulnerabilities before they become security incidents. Especially with cloud-based applications and platforms being released with exponential speed, source code analysis can be regularly monitored and analyzed to verify the security posture of the application code base. Vulnerabilities can be documented and validated, and then prioritized based on severity, likelihood and organizational impact. Tracking vulnerabilities as defects determines the residual severity and priority levels entered on the defect. With DevOps and Agile methodologies, defects are tracked very meticulously. The defects are a form of measurement and determine the quality of the product being delivered. The addition of security vulnerabilities into the defect tracking process provides the weight and visibility needed to take security to the forefront of the quality of system releases. Principle #4 Focus on Systems Primed for Agile and DevOps Keep in mind that an Agile cybersecurity engineering approach is not for every agency program. Not all systems are created equally and, therefore, not all system environments should be moved to Agile or DevOps just for the sake of keeping up with the times. Federal agencies, in particular, should be judicious about this given the nature of many mission critical programs, such as tactical combat systems, and the vast amount of legacy code, like COBOL, still in operation today. Start by evaluating the system s engineering capabilities, lifecycle management and advancement assessment. Ask whether or not the transition to Agile and DevOps would pay dividends or simply cause more headache, and potentially open up the system under evaluation to more vulnerabilities. Systems with a shelf life, for example, may not need to be moved over but still could benefit from applying a lighter touch of more continuous monitoring of security threats and vulnerabilities.

Principle #5 Prioritize Fixes with Input from Security Leads Security leads actively providing input to release prioritization may seem like a given, but because the tendency to wall off security still exists, this is not always the case. Lead security engineers should be deemed a voting member of the committee that decides what gets fixed and what gets pushed to the next release or patch cycle, based on their expertise and understanding of how it impacts the overall functionality and risk assessment. This principle is important and pretty simple and has minimal barriers to achieve. Why is it not commonplace then? The desire to meet program milestones and target dates remains a priority yet is often arbitrary. The emphasis should instead be on the outcome you want of high functionality with minimal risk. Security engineers can perform and translate security impact assessments that align with the short and long-term objectives. Agile and DevOps instill a culture of persistent and fluid changes and enhancements Cybersecurity is an Endurance Sport Agile and DevOps instill a culture of persistent and fluid changes and enhancements. Simply put, an application and system are never seen as perfect or finished only evolving to address shifting user needs. Cybersecurity is the same. New technologies and devices create new vulnerabilities, hackers and threats. Securing mission critical federal systems becomes an exercise in endurance versus a dash to static finish lines. A continuous monitoring program that folds in security processes, workflow and team management allows an agency to track the security state of an information system and maintain security authorization on an ongoing basis and within weeks versus months. This type of progressive understanding of the fluid security state of systems is essential in dynamic operational environments. Integrating a cybersecurity engineering approach into an Agile and DevOps environment provides the means and methods required to monitor a system and, more importantly, continuously positions the agency to be more forward-looking. It anticipates challenges and provides near-real-time feedback for decision support. It is a sustainable methodology that is lightweight and efficient, and provides effective means of operating within a complex project. In a closing thought, automation and artificial intelligence (AI) are essential to the success and future of cybersecurity. Finding methods and tools for efficient and consistent testing and validation is crucial to the evolution of security validation. For example, my team at NCI is actively investigating and developing AI tools for cybersecurity evaluations and RMF assessments. These tools will be the next generation of efficiencies, ease of use and consistent results following RMF and NIST.

About the Author James Bowlin leads NCI s enterprise strategy for the cyber market. He has more than 15 years of experience in cybersecurity, software development, and system of systems integrations across high visibility federal healthcare programs, including serving as chief engineer for DHA s Defense Medical Information Exchange (DMIX) Program Office and lead security engineer helping the VA integrate an Agile information assurance framework for the Veterans Benefits Management System (VBMS). Bowlin is a certified ethical hacker, certified information systems security professional (CISSP), security+ holder, and fully qualified Navy and Marine Corps validator. NCI provides cybersecurity and advanced Agile analytics to help federal agencies securely unleash the power of their data to achieve better user experiences, enhanced predictive analytics, and more effective data sharing and interoperability. For more information, please visit NCI online at www.nciinc.com. 07/17 v1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback