The Cloud Secure Task Force (CSTF) — made up of four non-profit organizations: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the IT Acquisition Advisory Council (IT-AAC) — held its fourth meeting on Wednesday to discuss… How to achieve more authorization to operate (ATO) reciprocity in cloud security practices.
Task force members explained during the ATARC event on November 13 that among the current security control frameworks in the cloud services industry, reciprocity does not exist.
This means that CSPs may have one control that must “evaluate and re-evaluate up to 12 or more times because of the multiple frameworks they have to evaluate,” according to Mary Spina, a senior cybersecurity official. Engineer at MITRE.
For example, Spina said there is the General Services Administration's (GSA) Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC) program within the Department of Defense. Additionally, many federal agencies have their own Federal Information Security Management Act (FISMA) enforcement requirements.
The industry also has a range of frameworks, such as the CSA's Security, Trust, Assurance and Risk (STAR) framework, among many international frameworks.
“These are all, in some cases, separate, different evaluators using different controls and writing different reports. So, it's a big cost driver,” Spina said. “I think if we can address this successfully, we will save industry, government and cloud providers a significant amount of money.” A lot of money.”
In addition to cost savings, CSA's global vice president of research, John Yeoh, said reciprocity will also help automate compliance programs.
“That's going to be a big part, so we're not just automating compliance, we're automating security,” Yeoh said.
“I believe that reciprocity will lead to much more than just an agreement between two unified bodies agreeing on how to recognize each other's assessments,” he added. “This will also give us the ability to automate this in our technology platforms, as well as improve overall security.”
Former federal CISO chimes in
Nearly five months after leaving the federal government, former federal Chief Information Security Officer (CISO) and Deputy National Cybersecurity Director Chris DeRusha joined a staff conversation on Wednesday to stress the importance of achieving reciprocity.
Reciprocity would enable one federal agency — or even a component within the same agency — “to reuse another assessment and grant full access to all of the underlying evidence provided to the first official,” explained DeRusha, who now serves as director of global public sector compliance at Google Cloud.
DeRusha echoed the sentiments of task force members, saying that evaluating “the same technology 10 different times…is not effective.” However, he said the issue of reciprocity is bigger than just cost savings.
“I really think it's about the speed framework of getting technology into the hands of our public sector — that should be the main driver and the thing we're going for here,” DeRusha said. “Although the cost argument is important, people are often, you know, tired of hearing that, and it's hard for them to tie it as a key motivator because they don't necessarily trust that there will be real cost savings at the end.”
“So, while I think it's important, I think we have to find frames that I think are very legitimate and actually frames that are more important than that,” DeRusha said.
For example, he said the reality is that technological progress is moving at an “almost frighteningly fast” pace — and that our adversaries are not waiting to use technology against us.
“They don't wait days to take advantage of the technology, but we wait months and often years for this technology to get into the hands of the public sector and then into the hands of advocates,” DeRusha said. “That's why this matters.”
