GovCon Expert Bill Downer: Securing the Supply Chain; Securing the Data – GovConWire

Bill Downer GovConExpert

Bill Downer, vice president of national programsfor Seagate Government Solutions, has released his second article as a member of Executive Mosaics GovCon Expert program on Monday after exploring the impact or lack of impact CMMC will have on supply chains and data hygiene.

In his second article, Downer discussed the federal governments use of data and the simple steps that federal agencies could take to secure our nations data outside of CMMC.You can read GovCon Expert Bill Downers piece below:

Securing the Supply Chain; Securing the Data

In my first article for the GovCon Expert program, which you can read right here, I talked about how Cybersecurity Maturity Model Certification (CMMC) was focusing on the development of weapon systems and adhering to the methods needed to protect the data about those systems as opposed to securing our supply chains.

For this article, I wanted to discuss some very simple steps that the U.S. federal government can take to secure data beyond CMMC.

It is well documented that most personal data that has been stolen from our government systems (think Office of Personnel Management) was stolen because the federal government has many requirements for data encryption. As a result, the data was either not encrypted at all or encrypted improperly.

Unfortunately, these requirements are often waived or ignored. In many cases and systems, the government and its contractors do an exceptional job of protecting our data while in transit. However, they become much more relaxed about the level and discipline to protect data at rest.

The unfortunate aspect of this approach is that the data at rest becomes the largest attack surface. With the current pandemic, this situation has become much worse. With so many government employees and contractors working from home or other remote locations through laptops and tablets, the data on these devices is always at risk.

I happen to occupy an interesting seat during these times because I work for the largest storage device manufacturer in the world. From my seat, I know at a macro level who is buying what type of devices with what level of encryption.

The Federal Information Processing Standard (FIPS) 140-2 standard is aninformation technologysecurity approval program for cryptographic modules produced by private sector vendors who seek to have their products certified for use in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminatesensitive but unclassified(SBU) information.

Tamper evident FIPS 140-2 security labels are utilized to deter and detect tampering of modules.

FIPS 140-2 establishes theCryptographic Module Validation Program(CMVP) as a joint effort by the National Institute of Standards and Technology (NIST) and theCommunications Security Establishment(CSE) for theGovernment of Canada

Security programs overseen by NIST and CSE focus on working with governments and industry to establish more secure systems and networks. They do that by developing, managing and promoting security assessment tools, techniques, services and supporting programs for testing, evaluation and validation.

They also address other areas like: the development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

Unfortunately, the government is not a leader in buying FIPS 140-2 encrypted drives for their systems. That requirement is often waived or not required for federal information technology systems. Since it is not required and IT systems often fall under the category of lowest price technically acceptable, the bidders do not offer FIPS 140-2 storage devices.

If they do offer storage devices as a part of the proposal; there is no value attached to these secure devices. One possible suggestion is for the government to require FIPS 140-2 devices in all their systems and that these devices must always be in FIPS mode. It is a NIST standard that should be used and enforced.

About GovCon Expert

Through Executive Mosaics GovCon Expert program, you can access the words of caution and celebration from the elite minds behind the innovation and implementation of emerging technologies across federal agencies and industry, including artificial intelligence, national security, cybersecurity, 5G, cloud, big data as well as competitive intelligence, open source solutions and other aspects of the GovCon industry.

Dont hesitate to contact us, if you want to become a GovCon Expert and share your voice across our unmatched publications and other social media products that have a weekly circulation of over 1,000,000 direct emails as well as matching inbound traffic.

We look forward to hearing from our next GovCon Expert soon. Click here to become a GovCon Expert.

See the original post here:
GovCon Expert Bill Downer: Securing the Supply Chain; Securing the Data - GovConWire