I can usually tell when a regulation has teeth when I start to hear multiple customers asking about it. Interestingly, the Federal Information Security Amendments Act of 2013, also known as HR 1163, isn't even in effect yet, but people are already looking for ways to comply.
This proposed legislation passed the House on April 16, 2013, with strong bi-partisan support. But, if you recall the "I'm Just a Bill" ditty from Schoolhouse Rock on Saturday mornings, HR 1163 must still pass the Senate and be signed by the President in order to become law.
And yes, now you'll be singing that song the rest of the morning. Sorry about that.
Anyway, the primary reason for the update is to adapt the existing FISMA legislation to take into account new technologies that have emerged since the law was initially passed in 2002.
Goals of the amendment include:
- Provide a framework to ensure effectiveness of information security controls
- Provide government-wide management and oversight of information security risks in this emerging, highly networked environment
- Outline minimum controls needed to protect Federal systems and those of its contractors
- Establish guidelines for implementing continuous monitoring, regular reporting and accountability
- Acknowledge that commercially developed products in private sector have value
Wait a minute ... 'commercially developed?' I've worked with the federal government for decades, and this is the broadest reaching statement I've found that shows a requirement for government agencies to leverage commercially available solutions. The proposed regulation also leaves the decision of which technologies to use up to each agency.
I think the government is on the right track. One of the primary reasons for this revision is because the government has realized that simply meeting the items on a checklist -- however comprehensive -- does not make you secure. Security is a process: the threats are ever-evolving, and we all need to be able to adapt and modify to keep ahead of the curve, or at least be able to respond to breaches as quickly and effectively as possible.
HR 1163 also outlines what is meant by 'Information security', rightly noting that both systems and data must be protected not only from unauthorized access, but also use, disclosure, disruption, modification or destruction. These protections are difficult enough when you have control over your data center. How can you achieve this in the cloud?
The answer is the Federal Risk and Authorization Management Program (FedRAMP). To win government business, cloud service providers (CSPs) must undergo third party assessments to make sure they meet the same requirements outlined in FISMA. If this new bill passes, then CSPs will need to continue to invest in security technologies in order to achieve accreditation.
This is great news for anyone who wants to leverage the cloud, as it means there will be more sharing of best practices and reference architectures, ultimately resulting in more secure clouds everywhere.
Other Benefits for CSPs
While it may take some more effort initially, building a more secure infrastructure will create benefits for all CSPs. Most notably, CSP's will be able to expand their customer base and therefore, their revenue. Better security will attract customers who haven't been ready to move applications to the cloud, as well as customers who are ready to expand deployments to more mission critical applications.
With a guideline for security, CSPs can avoid developing their own standards for protecting data. They can begin securing their customers' information by following government regulations and have the option of implementing further protection. The bill is a great starting point for cloud security.
Other Benefits for Cloud Users
Customers of CSPs, cloud users, will also feel the benefits of these new security guidelines. Although some industries, such as government and medical, already have to comply with regulations regarding cybersecurity, there are many industries that do not. With this bill, cloud users can rest easy knowing that there is at least a minimum standard of security.
The new law would also require CSPs to report when data breaches have occurred, to conduct vulnerability assessments and implement automated, continuous monitoring. Quality CSPs may have already taken precautionary measures to ensure these are in place, but making these steps mandatory will help ensure that cloud users' data are properly cared for and protected.
Although HR 1163 has not yet been passed, it is apparent that this bill is going to have a powerful impact on cloud security. Both CSPs and cloud users will benefit from having government regulations in place to protect virtual data, however, it is important to remember that these guidelines are only an initial step towards ensuring effective data security. By working together, CSPs and cloud users can determine what additional security measures must be taken to best protect users' information.