Using Cloud Solutions to Protect Data Poses Questions
Whether a small or large business, if a company seeks to win a Defense Department contract which involves controlled unclassified information, it needs to protect its information systems per the Defense Federal Acquisition Regulation Supplement Interim Rule and be certified for the appropriate level where the Cybersecurity Maturity Model Certification (CMMC) program requirements are included in the contract.
To achieve compliance, contractors face the choice of spending substantial capital to fortify and maintain their internal information systems, or subscribing to a cloud services provider that is in compliance with the new cyber directives.
Many businesses would opt for the cloud as the most cost-effective and efficient solution for compliance. However, businesses must apply a substantial amount of due diligence to understand what these providers can and cannot do to achieve cybersecurity that is customized to a defense contractor.
Recently, the Law and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division held its sixth in a series of tabletop discussions on Defense Federal Acquisition Regulations and CMMC to address the issue of using cloud service providers for compliance with defense requirements.
The panel of experts, who expressed only their individual opinions, included a Defense Contract Management Agency auditor, representatives from the CMMC Accreditation Body and cloud service providers, third-party application developers, and cybersecurity analysts. Engaging in tabletop exercises is an important element of compliance.
Both the National Institute of Standards and Technology Special Publication 800-171 and CMMC security controls mandate training and auditing to ensure that contractors know what they have to do if and when something goes awry and prompt action is needed.
There are some lessons learned from the tabletop and further points to consider as contractors determine how best to ensure their continuing compliance and security in the age of new regulations.
First, organizations can’t just rely on a cloud service provider to automatically address all security issues.
They do provide a variety of solutions. However, not all will fit a given company’s needs. A “customer responsibility matrix” is one of the most basic and important artifacts that must be developed between a contractor and a cloud provider. It allows the contractor to understand its responsibilities and delineates the role that the provider will play.
For example, some identity controls may be the responsibility of the contractor and not the provider. One panelist suggested approaching the development of the cloud in the same manner as one would develop any other information-technology service — so that a contractor carves out only what it needs to achieve cybersecurity.
Simply subscribing to a cloud provider may provide a false sense of security that may only become evident when a cyber incident occurs. By that point, it may be too late. If the contractor has not properly handled what it put into the cloud — and its access and control over that information — then it may have unwittingly exposed it to loss, misuse, or corruption.
A contractor also does not want to become too reliant on a provider because future changes to its information system would depend on its support. The company remains responsible for the proper processing and tagging of controlled unclassified information. The information under its contracts is a responsibility that cannot be transferred to the cloud provider. It can be held responsible for compliance with the agreed-to customer responsibility matrix.
The next lesson learned: access issues may result in improper handling and release of protected information. Simply because an organization can access an application does not mean it is secure.
Access may be a significant problem when using cloud computing. The tabletop presented a fictitious company that used a cloud provider but needed to contend with “digital nomad” employees handling the unclassified information, virtual video calls using non-cloud installed applications where the information was discussed and uploaded from the cloud, and circumstances where third-party computers were used to access a contractor’s cloud data.
Unfettered access to a cloud can undermine cybersecurity. So too can the use of unauthorized or insecure applications. A company needs to develop, implement and train on policies that restrict and control end-user access, the locations where access can be allowed, and the software, applications and devices approved for use and access.
Consider the use of boundary devices to establish the limits on access to the cloud and, in particular, the data files which contain controlled unclassified information. Boundary devices act as approved endpoints for access. However, it’s important to understand that boundaries are a solution that works together with other tools — such as policies and the prohibition of non-domestic access to the information — to create a greater solution.
President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity establishes a number of action items to improve government and industry security. Among them is the initiative to move toward a zero-trust architecture for systems. This type of security architecture is different from traditional notions of security where a wall of security is built around the outside of a system to protect it from inappropriate access. Under zero trust, it is recognized that no single wall is impenetrable and that hackers may gain entry if given enough time. Under zero trust, critical data, assets and applications are segmented and protected by gateways that restrict access at a more granular level.
Zero trust also has the added feature of providing contractors with greater opportunity for transparency into who is seeking and gaining access to their information and how they are using it. When thinking about the cloud or other systems, having the proverbial moat around the castle no longer can afford the best security.
Instead, using zero-trust architecture, a contractor can make it harder, and take longer, for hackers to work their way in to gain access to critical information. Where it takes more time to get in, this should help contractors identify intruders earlier in the process so they can take steps, such as shutting down systems, to prevent access or information loss.
Training is also an important element of a compliance program. It can help contractors ensure that human error and ill-conceived attempts to circumvent security protocols are minimized. As the tabletop demonstrated, even the best security cannot prevent someone who has access from intentionally misusing it. Teaching employees about their boundaries and risks, and what they can and cannot use to access the data on the cloud is a vital element of security. Placing controlled unclassified information in chat boxes on videoconference applications of untested security, or downloading that information from the screen during the videoconference onto unauthorized devices, are actions that may violate security plans and protocols and place the information at risk.
Similarly, software, like email, can and should be restricted if it carries such information. A cloud solution is not perfect, but it may be a potentially viable method of protecting information and systems. In compliance with Defense Department requirements, contractors need to properly install and embrace appropriate hygiene protocols tailored to their particular cloud solution.
The next question: does a cloud need to be at least Federal Risk and Authorization Management Program equivalent?
During the tabletop, we polled the audience to see if they thought that a cloud that encrypts data but is not FedRAMP equivalent would be adequate for a company to store data. There was general agreement that the cloud needs to be at least FedRAMP equivalent. Indeed, DFARS 252.204-7012 explicitly requires a cloud used for controlled unclassified information to be at least FedRAMP moderate equivalent. This requirement presents a challenge. If a cloud provider is not FedRAMP certified, how can a contractor be sure that the provider’s cloud is FedRAMP moderate equivalent? As a starting point, a contractor might consult with entities that are recognized in the FedRAMP marketplace. More needs to be done to address these types of cloud matters.
We also asked the audience whether they thought use of a cloud solution presented a greater risk to protecting information than the use of a contractor’s proprietary systems. The overwhelming answer was that it did not.
One panelist commented that contractors are finding that moving to a cloud opens up new opportunities. Other contractors indicated that a cloud allows them to continue data practices in a safe manner.
The message from this is clear — use of a cloud is but one piece of a cybersecurity solution. As contractors increasingly rely on these providers, it’s important to understand that the solution carries its own burdens. Contractors must remain vigilant and engaged throughout the life of a defense contract to ensure that their contractual obligations to protect controlled unclassified information are met. ND
Susan Warshaw Ebner is a partner at Stinson LLP. Rolando Sanchez is the owner and principal of the Law Office of Rolando R. Sanchez PLLC. Together, they co-chair the NDIA Cyber Division’s Legal Policy Committee.