The Federal Emergency Management Agency’s IT shop is working with others across the Department of Homeland Security to clarify cybersecurity controls so processes can be automated across the department.
However, compliance with data and privacy controls coming out of agencies like the National Institute of Standards and Technology is challenging because they haven’t kept pace with developments in cloud computing and DevSecOps.
While emerging NIST standards like the Open Security Controls Assessment Language (OSCAL) are diving deeper into Cabinet-level departments’ approaches to compliance, outdated controls remain.
“The common controls in the existing paradigm of client-server, hub-and-spoke computing, which are still with us even with cloud computing, those controls are fast becoming antiquated,” Okada said during an ATARC event Tuesday.
One such control asks whether organizations have a fire extinguisher, and no one would ever ask Microsoft Azure or Amazon Web Services that, he added.
At the same time that FEMA is establishing better cyber metrics, it’s developing application programming interfaces (APIs) that communicate with authorizing engines to generate system security plans and standardize them in open, text-based language for automation.