The FBI is adopting the intelligence community’s real-time risk assessment practices for cloud computing.
Telos Corporation announced a $13.5 million contract from the bureau Wednesday to integrate its Xacta solution — which is already used by the CIA — with the FBI’s clouds. The bureau wants to shorten the time it takes to grant contractors permission to access its systems so its assessors can focus on more pressing security issues.
“They want to have a customized risk-management framework,” John Wood, CEO of Telos, told FedScoop. “They want to have a customized business process that provides workflows, and that ensures process efficiency and consistency across their enterprise.”
Telos has 12 months to add the risk assessment capability to the GovCloud the FBI uses, then to the FBI’s part of two CIA clouds: Commercial Cloud Services (C2S) and Secret Commercial Cloud Service (S-C2S). The FBI expects to hook up with those services this year.
Contractors seeking authorities to operate in the FBI’s system, whether on premise or in the cloud, must test against about 11,000 security controls within the National Institute of Standards and Technology’s Cybersecurity Framework. The manual process used to take nine months for the IC to provision a server but with the cloud takes 30 seconds, Wood said.
Xacta automates 85 percent of and continuously updates those controls, which ensure “very solid” cyber-hygiene such as good passwords, strong user access control and multi-factor authentication, Wood said.
Gaining a better understanding of the bureau’s risk posture is especially important following the massive breach of software from government contractor SolarWinds, Wood said. The incident compromised at least eight agencies as of December. The FBI has not specified whether it was exposed to the breach.