The Department of Defense Can Drive Zero Trust Outcomes by Streamlining Its Cloud Authorization Process

TechWonk Blog

TechWonk Blog - The Department of Defense Can Drive Zero Trust Outcomes by Streamlining Its Cloud Authorization Process

February 14, 2023 by View all posts by Leopold Wildenauer

In its , the Department of Defense (DoD) envisions a scalable, resilient, auditable, and defendable environment centered on securing and protecting its systems in cyberspace. Adopting modern computing, storage, and network solutions enhances the Department’s capacity to perform its mission. Cloud computing can produce scalable insights in real time that can be leveraged for continuous monitoring of DoD’s network performance. Cloud-based solutions can also be deployed to help with visibility and analytics, as well as automation and orchestration. To support the Department’s transition towards a Zero Trust Architecture, DoD should reform its cloud authorization process to expedite the swift integration of suitable cloud service offerings (CSOs) into its Zero Trust Architecture (ZTA).

Currently, DoD has different options to authorize cloud services for use within the Department. On the one hand, DoD continues to run its own, agency-specific scheme, the Cloud Computing Security Requirements Guide (SRG). On the other hand, the General Services Administration (GSA) runs the Federal Risk and Authorization Management Program () in an effort to grow the use of secure cloud technologies across the entire federal government.

The FedRAMP program provides federal agencies with a standardized approach to security assessments for cloud service offerings. The program reduces acquisition processing times, inconsistencies, and duplications across federal agencies. This enables agencies to avoid cost inefficiencies and to accelerate the digital transformation of their systems. , President Biden signed the FedRAMP Authorization Act into law to provide statutory authority for the FedRAMP program.

DoD and the FedRAMP Project Management Office would be well-advised to partner on working out a comprehensive crosswalk between the FedRAMP baselines and DoD Impact Levels. Reforming DoD’s cloud authorization process to align with FedRAMP would produce measurable upside to DoD’s transition towards a ZTA, and ensure a consistent approach to the adoption of ZTA across the government’s IT landscape.

While it is the case that the SRG has many similar (or identical) controls, the presence of multiple authorization schemes slows down DoD’s ability to adopt these necessary capabilities. Here are five examples of how FedRAMP can be leveraged to produce measurable upside to DoD’s, or any other agency’s, transition towards a ZTA.

Assessment, Authorization, and Monitoring

A key characteristic of a ZTA is the elimination of implicit trust. In other words, all sessions and transactions occurring on a network will need to be authorized based on a set of policies. FedRAMP requires a series of access control policies for all baselines. Notably, to demonstrate implementation of security control CA-1, Cloud Service Providers (CSPs) need to produce artifacts that demonstrate the development, documentation, and dissemination of an assessment, authorization, and monitoring policy and supporting implementation procedures. Organizations can use such policies and enforcement procedures as a steppingstone to support the “never trust, always verify” tenet of Zero Trust.

Multifactor Authentication (MFA)

MFA describes the practice of authenticating the identity of a requestor by using at least two factors that the user knows, is, or has. Many regard MFA as a foundational practice of basic cyber hygiene. Therefore, it is not surprising that it has become a focal point in EO 14028, which also prepared the widespread transition towards Zero Trust. For FedRAMP, MFA is required for all baselines. Specifically, the enhancements for Identification and Authentication control IA-2 mandate the use of MFA for organizational users to both privileged and non-privileged accounts. Moreover, IA-8 describes a similar mandate for non-organizational users. This already implemented MFA is a net benefit of integrating FedRAMP authorized cloud services into a ZTA.

Configuration Management

FedRAMP requires the development of sound configuration policies and procedures for all authorized baselines which supports Zero Trust outcomes. The DoD Technical Reference Architecture acknowledges that, “Cloud services enable zero trust due in part to the fact that the distributed nature of cloud necessitates additional configuration and management support in order to achieve the kind of security and visibility over assets, users, and data that a zero trust architecture would require.” For example, Configuration Management control CM-7 requires that all FedRAMP authorized systems be configured to provide the lowest level of functionality necessary to execute the service. This is adjacent to, but supportive of, the Zero Trust idea of Least Privilege.

Visibility and Continuous Monitoring

The FedRAMP controls in the Assessment, Authorization, and Monitoring family produce the real-time security insights that are needed to support a Zero Trust Architecture. Visibility and Analytics is one of the seven pillars upon which DoD’s Zero Trust Strategy is built. Dynamic security monitoring facilitates the early detection of intrusion attempts and enables defenders to remove malicious actors upon detection. FedRAMP control CA-7 requires the adoption of continuous monitoring for all baselines. This provides the awareness of a system’s security posture to facilitate organizational risk management decisions that can be leveraged as part of DoD’s Zero Trust Architecture.

Automation and Orchestration

Another pillar in the Zero Trust Strategy focuses on automating security and governance processes. FedRAMP has partnered with NIST to develop the Open Security Controls Assessment Language (OSCAL) to automate the artifact reporting process. The FedRAMP PMO the adoption of OSCAL to create multiple positive impacts, including the rapid creation of System Security Plans (SSPs), the automation of the third-party assessment process, and the acceleration of the agency review process. DoD can unlock these and additional benefits to its Zero Trust transition if it reforms its cloud authorization process to integrate FedRAMP authorized cloud service offerings into its Zero Trust Architecture.

In summary, FedRAMP is well positioned to meet the technological needs of a transition to Zero Trust, such as the one DoD is undertaking. DoD, and all agencies, will benefit from working with the FedRAMP office to ensure that there is alignment between current or future FedRAMP assessments, and the expectations of Zero Trust. Such an alignment will ensure the speediest path forward on this complex technology evolution.

Tags: Federal 91pro视频, Public Sector

The CMMC Journey: The Next Milestone in Strengthening National Security
October 30, 2024

The journey of the Cybersecurity Maturity Model Certification (CMMC) program has been one of dedication, public-private collaboration, and relentless effort to secure the Defense Industrial Base (DIB). [...]
Section 5949鈥檚 Semiconductor Ban is a Major Roadblock for U.S. Government Contracts
August 1, 2024

Section 5949 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2023 represents one of the most comprehensive supply chain restrictions applied to U.S. government contracts. This section [...]
How GSA Can Use FedRAMP to Protect Innovation and Competition
March 22, 2024

The Federal Risk and Authorization Management Program (FedRAMP) is a critical cloud technology security program that aims to reduce acquisition processing times, inconsistencies, and duplications across [...]
New 鈥淏uy America鈥� Rules Don鈥檛 Work for Technology. U.S. Infrastructure Deserves Better
October 20, 2023

On October 23, the Biden Administration鈥檚 final guidance on applying Build America, Buy America requirements for infrastructure projects that receive federal financial assistance will go into effect. These [...]
Four Recommendations for State and Tribal Governments Formulating Their Cybersecurity Plans
October 3, 2023

In 2021, the U.S. Congress passed a landmark piece of legislation, the Infrastructure Investment and Jobs Act (IIJA), which took a critical step towards modernizing state, local, tribal, and territorial [...]
Four Considerations to Achieve Secure by Design Through Federal IT Modernization
August 24, 2023

Recent reporting indicates that the Biden Administration is gearing up for a pivotal push to modernize federal IT infrastructure in accordance with Secure by Design principles, which reflect this administration鈥檚 [...]
U.S. Policymakers Should Take a Risk-Based Approach to ICT Supply Chain Risk Management
April 6, 2023

On March 16, 91pro视频 filed comments to the U.S. Department of Defense (DoD) recommending methods effectively implement Sec. 5949 of the National Defense Authorization Act (NDAA) for Fiscal Year 2023--a major [...]
Honoring the Leaders Advancing Innovative Tech Solutions in Government: 91pro视频 Announces Winners of its 2022 Public Sector Government Acquisition Awards
December 1, 2022

The U.S. federal policy landscape has become increasingly intertwined with the products and services the U.S. government needs to operate. Today鈥檚 federal contracting officers must specialize in negotiating [...]
Five Recommendations to Unlock the Benefits of Streamlining Federal Cybersecurity Schemes
October 31, 2022

The U.S. government marks October as Cybersecurity Awareness Month to celebrate the year-round work of countless dedicated civil servants to strengthen the security of the United States. Many of 91pro视频鈥檚 [...]
Congress Must Reach Agreement on the Bipartisan Innovation Act
March 9, 2022

As President Biden meets with U.S. business leaders about the importance of keeping the U.S. competitive, 91pro视频 echoes the president鈥檚 call for the U.S. Congress to pass the Bipartisan Innovation Act. This [...]