A trade group representing government IT contractors is urging state governments to adopt federal cybersecurity benchmarks, to encourage standardization and avoid duplicating painstaking work that’s already been done developing norms and best practices.
In a blog posting and policy paper, the IT Alliance for Public Sector, a division of the Information Technology Industry Council, warns states against “reinventing the wheel,” through “a siloed, inconsistent and disconnected state-by-state approach” to cybersecurity standards for government IT.
At the center of the recommendations from ITAPS is the Federal Risk and Authorization Management Program, or FedRAMP, and the cybersecurity framework created by the National Institute of Standards and Technology.
NIST worked with the General Services Administration, the Department of Homeland Security, the Department of Defense, the Office of Management and Budget, the NSA and the federal CIO to create FedRAMP — a highly detailed and technical “standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services” governmentwide.
The NIST Cybersecurity Framework, by contrast, is a set of high-level guidelines and practices that are meant to be adjustable to any level of governance or any size of enterprise. the framework was developed by NIST based on industry input following President Barack Obama’s 2013 executive order to strengthen U.S. cybersecurity.
Using the framework helps to minimize redundancy, said Florida Agency for State Technology’s Chief Information Security Officer Danielle Alvarez.
“The point they make about not reinventing the wheel, I’m a huge proponent of that just because there’s so much that we have to do. And if someone has come out with a practice or a framework that actually answers the questions and meets the needs of the state [then we should use it],” she told FedScoop about the program.
Alvarez said the program fit many of the state’s needs and allowed for more collaboration with other programs.
“It was faster for me to execute adoption and know that it had been vetted through many professionals, partners and stakeholders over time. A framework in and of itself is a skeleton and you have to populate the organs to make it executable,” Alvarez said.
This allowed for other state agencies such as the Florida Port Authority and the Florida Department of Law Enforcement to respond to the implementation and adjust it to fit specialized needs.
California, too, has based security changes off the NIST and FedRAMP standards.
“Our office of information security, they’re constantly utilizing best practices in the industry which would obviously include NIST and FedRAMP,” Teala Schaff told StateScoop.
Indeed, California’s statewide cloud service, CalCloud, is built to FedRAMP standards — in the hope that this will be a selling point for customers. But there is no official FedRAMP certification for the service yet.
“We’re currently working with them to be one of the first states that is certified FedRAMP compliant. It’s already built to the FedRAMP standards but they don’t have a state compliance process so we’re kind of a test case to them,” Schaff said.