GSA to Involve InfoSec from Get-GoEnsuring Security Built into Solutions from the Beginning
General Services Administration Chief Information Officer Sonny Hashmi is on a mission to revamp the way the federal agency approaches information technology projects, including how it incorporates security into its IT initiatives.
Hashmi, in July, issued what he characterizes as an information technology integration policy, which, among other things, gets the agency's chief information security officer involved in IT projects from the get-go.
Under Hashmi's principles, the GSA CISO would serve as a consultant and partner with the CIO through an IT project's life cycle. He says he's changing the process in which information security has been seen as a compliance step that's added at the end of a project.
"As the landscape of cybersecurity threats and risks evolve, we want to ensure that cybersecurity is designed into our solutions from the beginning, rather than being overlaid as an after-thought," Hashmi says in a recent blog. "Through this approach, we will increase the overall cybersecurity posture of our information systems, while designing them to be flexible in meeting future challenges."
The GSA is the federal agency that facilitates other agencies' acquisition of a wide range of products and services, including IT wares that need to be secured.
Engaging IT Security Team
According to the new policy, one of the biggest challenges for GSA IT staff is early and consistent engagement with the IT security team throughout the project to understand what security requirements apply, who needs to be engaged to assist in implementation and how this has an impact on the project schedule. It's the responsibility of the IT security team to determine, based on consultations with the project team, the cybersecurity requirements that are needed for compliance.
Most federal agencies historically have treated information security as an add-on, and the move by GSA should serve as an example that could be emulated by other departments and agencies, says Bruce Brody, a former CISO at the departments of Energy and Veterans Affairs.
"By bringing security into the upfront part of the cycle, you're conserving resources in the long run and you're doing security in the right way, cooking it in rather than bolting it on," says Brody, chief cybersecurity strategist at defense contractor Cubic Corp. "There's absolutely nothing wrong with this approach at all. The only thing wrong is it hasn't been done yet."
In unveiling his principles, Hashmi says they would ensure that GSA IT systems be open, modern, innovative and intuitive and allow reuse by leveraging common components and technologies that should reduce costs and complexity.
Hashmi, in the policy, also pledges that project teams work with the group charged with developing a single sign-on service to identify the best applications to adopt. "By integrating all solutions with our enterprise identity and access management solutions, we will not only reduce the burden of multiple passwords on our employees, but will also increase security of our data and systems and increase compliance with federal IT policies and best practices," Hashmi says.
Because federal agencies interact with the GSA when they acquire goods and services, the move to incorporate IT security from the beginning of an IT project could spread throughout the government.
"Some agencies might be inclined to say, 'We'll do it the way you do it,'" Brody says. "By GSA setting an example internally, that's a good, positive step in the right direction. Whether or not it trickles out to their agency-wide programs, remains to be seen. We hope it does but let's start it internally and go from there."