|
|
12-17-2010
Registered User
26,240,
27
Cloud Adoption Will Force Federal Agencies to Adopt Integrated Risk Management Practices
The Cloud extends the scope of Risk Management when risk is considered an enterprise (organizational) activity which takes into consideration various aspects of the nature of the cloud adoption. The "25-Point Implementation Plan to Reform Federal IT" published by Vivek Kundra, U.S. Chief Information Officer (CIO) on December 9, 2010 gave clear direction that a shift to the cloud will be part of the Federal IT strategy.
In the Implementation Plan, Vivek states "Within the next six months, the Federal CIO will publish a strategy to accelerate the safe and secure adoption of cloud computing across the government." Further, Vivek charges Federal Agency CIOs with identifying three "must move" services and create a project plan for migrating each of them to cloud solutions and retiring the associated legacy systems.
It should also be noted that the Shift to a “Cloud First” policy has an initial timetable of 6-month for the publication of "a strategy to accelerate the safe and secure adoption of cloud computing", followed by a 12-month timeframe for each Agency to migrate one (1) of three services, and 18-months to migrate two (2) additional services. Although the requirements are aggressive, they are necessary to ensure cloud technologies are integrated into the Federal IT infrastructure.
The selection of qualified services does not come without the necessity to perform thorough risk management. The notation of "services" reflects a organization-wide cross-cutting IT infrastructure component such as email, collaboration, storage, etc. Since the completion of FedRAMP will likely precede the start of the migration, Federal Agencies will have a vehicle to use as part of the guidance (excluding any additional guidance published by NIST) to support the selection of "secure, certified platforms". However, since FedRAMP only addresses the need for a single authorization of Cloud Services, it does not absorb the responsibility of an Agency using FedRAMP authorized Cloud Services.
In the past, Federal Agencies have relied upon the NIST SP 800-30 ("Risk Management Guide for Information Technology Systems") as a tool for integrating Risk Management activities within the traditional Certification and Accreditation (C&A) process. This process has been ineffectively adopted as a tool for identifying and managing risk as a part of the 3-Year C&A cycle, rather than using it to identify and manage risks on a continuous basis. The lack of the effective implementation of risk management has caused Agencies to rely conditional on the results of the Assessment (Security Test & Evaluation), rather than managing and monitoring risks as an organizational activity that requires risks to be communicated to various levels of the organization and across multiple stakeholders (internal or external to the organization).
Since the early draft of NIST SP 800-39, a process has started to emerge that focuses on the integration of risk management across the enterprise (or organization). However, the prior (singular) view of risk management proposed in NIST SP 800-30 has traditionally focused entirely on individual information system to derive risks - with limited notion of the sharing across the organization. This requires a more enterprise viewpoint for risk management, which will be even more important as Cloud Services are adopted. The expectation on Agencies to support the “Cloud First” policy will force agencies to adopt Risk Management Practices such as the process detailed in Chapter 3 of NIST SP 800-39 FPD ("Applying Risk Management Concepts Across an Organization").
It should also be noted that the NIST Risk Management Framework (RMF) which is a step process for integrating risk management activities into the System Development Lifecycle (SDLC) is only one layer of an integrated risk management capability. A fully integrated risk management capability seeks to achieve a better understanding of risks by measuring and managing the impact of information security risks as a focus on the organizational mission, operations, and resources (IT assets and human capital) needed to support the broader function of the Federal Government.
Cloud Computing (depending on the deployment and service model) will necessitate a mature adoption of Risk Management that not only facilitate internal communication of risk as it relates to the mission of a single Agency (or even multiple Agencies), but in the broader perspective externally with Cloud Security Providers which will be required to understand the security risks to ensure they are effectively managed.
More...
In the Implementation Plan, Vivek states "Within the next six months, the Federal CIO will publish a strategy to accelerate the safe and secure adoption of cloud computing across the government." Further, Vivek charges Federal Agency CIOs with identifying three "must move" services and create a project plan for migrating each of them to cloud solutions and retiring the associated legacy systems.
It should also be noted that the Shift to a “Cloud First” policy has an initial timetable of 6-month for the publication of "a strategy to accelerate the safe and secure adoption of cloud computing", followed by a 12-month timeframe for each Agency to migrate one (1) of three services, and 18-months to migrate two (2) additional services. Although the requirements are aggressive, they are necessary to ensure cloud technologies are integrated into the Federal IT infrastructure.
The selection of qualified services does not come without the necessity to perform thorough risk management. The notation of "services" reflects a organization-wide cross-cutting IT infrastructure component such as email, collaboration, storage, etc. Since the completion of FedRAMP will likely precede the start of the migration, Federal Agencies will have a vehicle to use as part of the guidance (excluding any additional guidance published by NIST) to support the selection of "secure, certified platforms". However, since FedRAMP only addresses the need for a single authorization of Cloud Services, it does not absorb the responsibility of an Agency using FedRAMP authorized Cloud Services.
In the past, Federal Agencies have relied upon the NIST SP 800-30 ("Risk Management Guide for Information Technology Systems") as a tool for integrating Risk Management activities within the traditional Certification and Accreditation (C&A) process. This process has been ineffectively adopted as a tool for identifying and managing risk as a part of the 3-Year C&A cycle, rather than using it to identify and manage risks on a continuous basis. The lack of the effective implementation of risk management has caused Agencies to rely conditional on the results of the Assessment (Security Test & Evaluation), rather than managing and monitoring risks as an organizational activity that requires risks to be communicated to various levels of the organization and across multiple stakeholders (internal or external to the organization).
Since the early draft of NIST SP 800-39, a process has started to emerge that focuses on the integration of risk management across the enterprise (or organization). However, the prior (singular) view of risk management proposed in NIST SP 800-30 has traditionally focused entirely on individual information system to derive risks - with limited notion of the sharing across the organization. This requires a more enterprise viewpoint for risk management, which will be even more important as Cloud Services are adopted. The expectation on Agencies to support the “Cloud First” policy will force agencies to adopt Risk Management Practices such as the process detailed in Chapter 3 of NIST SP 800-39 FPD ("Applying Risk Management Concepts Across an Organization").
It should also be noted that the NIST Risk Management Framework (RMF) which is a step process for integrating risk management activities into the System Development Lifecycle (SDLC) is only one layer of an integrated risk management capability. A fully integrated risk management capability seeks to achieve a better understanding of risks by measuring and managing the impact of information security risks as a focus on the organizational mission, operations, and resources (IT assets and human capital) needed to support the broader function of the Federal Government.
Cloud Computing (depending on the deployment and service model) will necessitate a mature adoption of Risk Management that not only facilitate internal communication of risk as it relates to the mission of a single Agency (or even multiple Agencies), but in the broader perspective externally with Cloud Security Providers which will be required to understand the security risks to ensure they are effectively managed.
More...