While improving service delivery and return on investment are priority procurement goals when choosing a Software as a Service (SaaS) partner, federal agencies must also prioritize “security first” to ensure that vulnerable legacy systems are protected in today’s digital-dominated climate. .
Presidential decree on improving national cybersecurity requires agencies to develop standards to prevent cyber incidents and transform government systems into secure and reliable digital infrastructures with zero-trust architecture, as outlined in the Office of Management and Budget (OMB) Federal strategy issued on January 26, 2022.
It’s not an easy task, but with due diligence and prioritization, government agencies can protect themselves against increasingly malicious actors by ensuring these three must-have security elements:
1.) Don’t sacrifice security for agility
Cloud-based software can provide the features your teams need to be productive, and freemium software can be readily available, but many of these solutions take shortcuts when it comes to security. It can also pave the way for shadow computing, the use of systems, devices, software, applications, and services outside of an organization’s approved infrastructure. This limits visibility and manageability, as well as potential security and compliance risks that may arise. Be sure to properly investigate security credentials, encryption methodologies, and access controls.
A good starting point is the FedRAMP Marketplace. This is a directory of vendors and products that have been properly vetted and are continuously monitored by executive branch entities. This reduces the time, money, and diligence required to assess the health of cloud service providers (CSPs).
2.) Prioritize Zero Trust Architecture
The January OMB memorandum outlining the zero-trust strategy reminds us that while the concept may sound daunting in theory, it’s an achievable requirement that every agency should prioritize. Implementing zero trust doesn’t have to be complicated, especially when the Cybersecurity and Infrastructure Security Agency (CISA) is guidance federal agencies along the way.
At its core, Zero Trust Architecture protects critical assets and data from the inside out to establish complete threat visibility and detect suspicious activity. Waiting to implement zero confidence measures can expose agencies to significant risks that could otherwise be thwarted. Proactive prevention measures are imperative to maintain a “never trust, always verify” model.
In addition, software must be certified by enterprise-grade security measures. For civilian agencies, FedRAMP is key. For DoD agencies, the impact levels (IL2, IL4, IL5, and IL6) go even further. Second, vendors must offer both cloud and on-premises deployments of the software. Flexible deployment options allow you to secure and manage content and communications to best align with your existing infrastructure and needs. Other best practices include multi-factor authentication, endpoint detection, rigorous testing, and more.
3.) Know how data is used and stored
Do you know where your organization’s data is stored? If the answer is no, you are not alone. According to a study conducted by IoD and Barclays, 43% of users do not know where their data is physically stored and 59% rely on outsourcing their data storage. Knowing where your data is stored and used is essential to keep it secure, especially if the data is stored outside of the United States. A company may be headquartered in the United States, but if the data travels through servers overseas, you need to know all storage and management locations. This is not just a compliance issue, but can also be a national security issue. Unfortunately, not all SaaS companies are available with their data center locations, so it’s critical that agency executives cover their bases in the procurement process and research US-based data centers.
Avoiding security pitfalls is more than just complying with standards. Agencies and vendors must put security at the center of everything they do to protect national security in a growing threat landscape.