Public comment from Tanium Inc.

[OMBPublicComments]

Comments in response to the proposed OMB Cloud Smart Strategy Submitted via email by Tanium, Inc October 22, 2018

Thank you for the opportunity to submit the following comments in response to the Office of Management and Budget’s proposed Cloud Smart strategy. As a leading provider of cybersecurity software and services to the federal government as well as private sector organizations, Tanium has extensive experience helping organizations protect their IT investments. Tanium’s flagship end point security platform was selected for the U.S. Air Force’s Automated Remediation and Asset Discovery program in 2016, and this platform was awarded the Department of Defense Chief Information Officer Team Award for Cyber and Information Technology Excellence. Tanium supports OMB’s effort to update the original Cloud First strategy, with the expectation that Cloud Smart will allow agencies to more effectively plan for cloud transition, with an emphasis on new and emerging technologies that can help automate mission-oriented tasks and move the government’s technology policy into the 21st Century. Rightly, the draft Cloud Smart strategy document notes that security, along with procurement and workforce reform, will be essential for successful transition to a cloud-based infrastructure. We believe all three of these areas are critical and have been properly prioritized by OMB. With that said, our comments will focus primarily on those areas that fall most directly with in our areas of interest and expertise, namely security. The security section of the draft strategy is focused on three primary programs – TIC, CDM and FedRAMP. The section highlights the importance of cybersecurity to modernization and encourages a “transition to security and protections at the data layer instead of the network and physical infrastructure.” The section reinforces alternatives to the 2007 TIC policy, while pushing a new ICAM policy, an acceleration of the CDM program, including the deployment of cloud monitoring tools and capabilities. It is the last recommendation that is of the most interest to us. According to Action #6 within the strategy: The Office of Management and Budget will release updated guidance that focuses on accelerating the implementation of the Continuous Diagnostics and Mitigation (CDM) program across the Government, including the deployment of cloud monitoring tools and capabilities. The CDM program is a critical cybersecurity program that provides agencies with the necessary visibility into their environment to more effectively protect their data. While we applaud recent efforts by DHS to update the CDM program, including making acquiring CDM tools easier, Tanium concurs that updated OMB guidance is necessary to accelerate the implementation of CDM, particularly given the need for cloud monitoring tools and capabilities. Tanium also recommends that Action Item #6 directly address the need for metrics and real time scanning of agency networks as well as automatic remediation of detected threats. To be effective, it is vital that this language reflect the latest in commercial-sector best practices. For example, technology widely-deployed in the private sector has the capability to scan the endpoints of a large enterprise network in minutes or seconds, as opposed to days or hours. However, current government requirement and policies are built around a 72-hour standard that became obsolete several years ago as new, real-time monitoring technologies entered the market, many of which were not in the marketplace when the CDM program originally conceived. Given the rapidly evolving threat landscape and the evolution of new monitoring tools, the CIO council should ensure private sector standards are included in updated OMB guidance. As you finalize the Cloud Smart strategy and begin to develop updated guidance that will lead the CDM program forward, we encourage you to include performance metrics for technologies or tools acquired through the program. Such metrics should track: 1) the frequency of vulnerability scans; 2) the rapid decommissioning or removal of ineffective or compromised solutions; 3) the rapid remediation of cyber vulnerabilities; 4) the speed of patching and configuration compliance; and 5) the percent coverage required for complete enterprise management

Thank you again for the opportunity to comment on the proposed Cloud Smart strategy and we look forward to working with you on the CDM update.

[johnaweiler]

IT-AAC concurs with Tanium's observations and recommendations. Moving to the cloud without sufficient understanding of risks can be problematic.