Bill Downer, vice president of national programs for Seagate Government Solutions, has released his second article as a member of Executive Mosaic’s GovCon Expert program on Monday after exploring the impact or lack of impact CMMC will have on supply chains and data hygiene.
In his second article, Downer discussed the federal government’s use of data and the simple steps that federal agencies could take to secure our nation’s data outside of CMMC. You can read GovCon Expert Bill Downer’s piece below:
Securing the Supply Chain; Securing the Data
In my first article for the GovCon Expert program, which you can read right here, I talked about how Cybersecurity Maturity Model Certification (CMMC) was focusing on the development of weapon systems and adhering to the methods needed to protect the data about those systems as opposed to securing our supply chains.
For this article, I wanted to discuss some very simple steps that the U.S. federal government can take to secure data beyond CMMC.
It is well documented that most personal data that has been stolen from our government systems (think Office of Personnel Management) was stolen because the federal government has many requirements for data encryption. As a result, the data was either not encrypted at all or encrypted improperly.
Unfortunately, these requirements are often waived or ignored. In many cases and systems, the government and its contractors do an exceptional job of protecting our data while in transit. However, they become much more relaxed about the level and discipline to protect data at rest.
The unfortunate aspect of this approach is that the data at rest becomes the largest attack surface. With the current pandemic, this situation has become much worse. With so many government employees and contractors working from home or other remote locations through laptops and tablets, the data on these devices is always at risk.
I happen to occupy an interesting seat during these times because I work for the largest storage device manufacturer in the world. From my seat, I know at a macro level who is buying what type of devices with what level of encryption.
The Federal Information Processing Standard (FIPS) 140-2 standard is an information technology security approval program for cryptographic modules produced by private sector vendors who seek to have their products certified for use in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
Tamper evident FIPS 140-2 security labels are utilized to deter and detect tampering of modules.
FIPS 140-2 establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) for the Government of Canada
Security programs overseen by NIST and CSE focus on working with governments and industry to establish more secure systems and networks. They do that by developing, managing and promoting security assessment tools, techniques, services and supporting programs for testing, evaluation and validation.
They also address other areas like: the development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.
Unfortunately, the government is not a leader in buying FIPS 140-2 encrypted drives for their systems. That requirement is often waived or not required for federal information technology systems. Since it is not required and IT systems often fall under the category of lowest price technically acceptable, the bidders do not offer FIPS 140-2 storage devices.
If they do offer storage devices as a part of the proposal; there is no value attached to these secure devices. One possible suggestion is for the government to require FIPS 140-2 devices in all their systems and that these devices must always be in FIPS mode. It is a NIST standard that should be used and enforced.
About GovCon Expert
Through Executive Mosaic’s GovCon Expert program, you can access the words of caution and celebration from the elite minds behind the innovation and implementation of emerging technologies across federal agencies and industry, including artificial intelligence, national security, cybersecurity, 5G, cloud, big data as well as competitive intelligence, open source solutions and other aspects of the GovCon industry.
Don’t hesitate to contact us, if you want to become a GovCon Expert and share your voice across our unmatched publications and other social media products that have a weekly circulation of over 1,000,000 direct emails as well as matching inbound traffic.
We look forward to hearing from our next GovCon Expert soon. Click here to become a GovCon Expert.