FITARA compliance woes point out security vulnerabilities

When government agencies report again this April on how they’re doing with the Federal Information Technology Acquisition Reform Act (FITARA), the elephant in the room that few want to acknowledge is the cybersecurity threat posed by being out of compliance.

Government’s track record across two FITARA reporting cycles has been less than stellar. Approved by Congress and signed by President Barack Obama in 2014, FITARA is supposed to be the first major updating of federal IT in two decades. The Office of Management and Budget (OMB) scrutinizes four different disciplines, with letter grades assigned to data center consolidation, IT portfolio review savings, incremental development and risk assessment transparency. Then OMB assigns these grades based on assessments from the agencies themselves.

When the first FITARA scorecard was released in 2015, 16 of the 24 affected agencies were ranked with a grade of “D” or lower — three had failed altogether. Last year in May, the second report card saw some minor improvement, but 18 agencies still flunked in the areas of IT portfolio review savings and data center consolidation. Ten agencies were still hovering at “D” grades, and NASA still had a failing grade overall.

When you look at IT portfolio review savings and data center consolidation, there’s a direct connection between being out of compliance and being susceptible to cybersecurity threats from bad actors.

Advertisement

Poor compliance and security vulnerability

One of the reasons FITARA was introduced was that the government had to acknowledge that it didn’t have a firm handle on its IT portfolio to begin with — there was incomplete information on the details of each agency’s network infrastructure holdings. Without detailed information, FITARA compliance in IT portfolio review savings and data center consolidation is difficult; after all, you can’t consolidate data centers without knowing what there is to consolidate.

More importantly, however, if you have incomplete information on your IT holdings, you almost by necessity are susceptible to incursions against your network by organizations that can exploit the holes in your infrastructure that have yet to be identified or closed down.

That’s why the world of cybersecurity is shifting its focus from “breach prevention” to data security. It’s becoming increasingly clear that you simply can’t prevent breaches — especially if you don’t have a complete accounting of the elements of your IT infrastructure.

Instead of securing the network, your real emphasis has to be on securing and protecting critical data. That means knowing where sensitive data is housed, knowing how it’s stored and managed, and controlling access to that data (because threats to data security can come from within as well from external sources).

You have to encrypt your data so that even if (or when) your network is breached, you have the peace of mind to know that your data is safe.

Where is your data stored? Is it in databases, endpoints, servers or storage networks? Do you maintain it on-premise or in the cloud? Once you have a firm handle of where the data is, you need to assess the relative value of that information. Older archived data may no longer be as sensitive as it once was, whereas new data may require a focused security strategy.

That kind of security strategy relies on encryption so that even if the network is breached the information itself will be useless to hackers. You need cryptographic keys to encrypt and decrypt the data, and a foolproof way to store those keys to prevent real damage. The sheer volume of sensitive data can require possibly millions of encryption keys, which presents a significant challenge in managing the technology.

Control your keys and know who’s using them

Stolen or misused keys can undermine all your important security precautions. The best solution is a crypto management platform across your organization to centralize key management. The industry is increasingly turning to hardware security modules as a way to keep keys in a centralized location with appropriate control that still offers relatively hassle-free access by administrators.

Speaking of access and administration, remember that data is compromised by unauthorized access to crypto keys. That means having a strong authentication protocol to make sure that authorized personnel are accountable for accessing the information, while also blocking access from unauthorized parties.

Until the FITARA scorecards start coming back with more grades of “A” than “D” — especially in the areas of IT portfolio review and data center consolidation — the elephant in the room will continue to be security vulnerabilities. While agencies continue to wrestle with compliance, it will be extremely important to make sure that they are doing all they can to protect their data. What they don’t know can hurt them.

Shawn Campbell is vice president of product management for SafeNet Assured Technologies. He can be reached at Shawn.Campbell@safenetat.com.