October 24, 2018
To: Office of the Federal Chief Information Officer, Office of Management
and Budget, Executive Office of the President
RE: Response to Request for Information, Federal Cloud Computing Strategy
Via e-mail to: ofcio@omb.eop.gov
The White House drive to modernize Federal government networks, and the attendant
effort to take advantage of new technologies and the benefits of cloud migration, is a
welcome strategy that will have near- and long-term benefits for the U.S. government.
Building on that planning, the “Cloud Smart” Federal Cloud Computing Strategy’s focus on
security as a core strategic pillar highlights the importance of ensuring that cloud
migrations are accomplished deliberately and with appropriate consideration for how
mission owners will protect their data regardless of where it resides. Taking advantage of
these technologies requires a risk-based, security-focused approach to government cloud
deployments.
Palo Alto Networks appreciates the opportunity to respond to the Federal Chief Information
Officer’s request for information regarding the Federal Cloud Computing Strategy. The
following comments are offered to enhance the strategy’s focus on a comprehensive
security foundation encompassing both cloud service providers and mission owners. We
would be pleased to provide additional information about the concepts addressed in these
comments; please direct any questions to Coleman Mehta, Senior Director, U.S. Policy
Redacted.
Cloud Deployments Must Include Security Requirements for Mission Owners in
addition to Cloud Service Providers. Cloud Smart’s security focus is a good initial step,
but it must further underscore the shared responsibility between mission owners and cloud
service providers that ensures security is considered comprehensively. While cloud service
providers secure cloud infrastructure, mission owners secure their data across all
environments – across networks, endpoints, on-premise data centers, multi-cloud
infrastructure, and within a single public or private cloud service provider. Contract
requirements that mandate infrastructure security do not obviate the need for
requirements and resources also addressing the important security capabilities that
mission owners use to fulfill their responsibilities; including requirements for both in
procurements provides needed clarity for all parties without penalizing bids for adding cost
and complexity outside of scope.
A higher level of orchestration and integration is needed to effectively secure enterprises
against cyber risks. Agencies should be expected to ensure that consistent policies for
accountability, visibility and security are executed and measured across all data sets, no
matter where they reside. Agencies must also be able to consistently monitor their security
posture while maintaining the ability to automatically generate situational awareness
across all of their network environments. Agencies should be held accountable for
delivering the same level of reporting required by the Continuous Diagnostics & Mitigation
program for all their cloud-based assets even as those assets have shifted from on-premise
to off-premise cloud environments.
Cloud Smart rightly focuses, moreover, on modernization of the Trusted Internet
Connections (TIC) and Continuous Diagnostics and Mitigation (CDM) programs. Current
program requirements do not provide effective network infrastructure security. As these
programs modernize, they must incorporate new security technology evolutions and the
flexibility to identify, test and adopt those innovations, such as a zero-trust model of
security enforcement points within and throughout modernized infrastructure down to the
endpoint.
Acquisition Practices Must be Better Aligned to Mission Needs, Through Operational
Testing and Leadership Accountability. Cloud Smart seeks to harmonize traditionally
stovepiped stakeholders in the government, including the acquisition community. In
particular, the strategy’s call for procurement contracts to include security requirements is
important, but could be bolstered by considering accountability and incentive models for
procurement officials oriented towards strong security and risk reduction to the agency.
The current risk structure for contract officers does not map to the risk of the enterprise,
often leading to lowest cost, technically acceptable bids that minimize protest risk, rather
than focus on quickly putting the best performing tools in the hands of mission operators.
One mechanism for addressing this procurement misalignment is expansion and greater
use of real-world operational testing and evaluation programs for security technologies,
rather than a reliance on static requirement checklists. Both the defense community and
civilian agencies are starting to utilize more effective operational testing, which should
become a scaled model.
Contracting and procurement officials should be accountable and incentivized under Cloud
Smart to reinforce the requirement in Executive Order 13800 (Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure) that holds agency heads
accountable for managing the cyber risks of their enterprises. Agency heads can meet the
Executive Order’s accountability obligations by ensuring effective, independently-evaluated
security requirements are built into procurement contracts, thereby aligning the incentives
and responsibilities of contracting and acquisition professionals to directly support the
mission owners.
October 24, 2018 To: Office of the Federal Chief Information Officer, Office of Management and Budget, Executive Office of the President RE: Response to Request for Information, Federal Cloud Computing Strategy Via e-mail to: ofcio@omb.eop.gov
The White House drive to modernize Federal government networks, and the attendant effort to take advantage of new technologies and the benefits of cloud migration, is a welcome strategy that will have near- and long-term benefits for the U.S. government. Building on that planning, the “Cloud Smart” Federal Cloud Computing Strategy’s focus on security as a core strategic pillar highlights the importance of ensuring that cloud migrations are accomplished deliberately and with appropriate consideration for how mission owners will protect their data regardless of where it resides. Taking advantage of these technologies requires a risk-based, security-focused approach to government cloud deployments. Palo Alto Networks appreciates the opportunity to respond to the Federal Chief Information Officer’s request for information regarding the Federal Cloud Computing Strategy. The following comments are offered to enhance the strategy’s focus on a comprehensive security foundation encompassing both cloud service providers and mission owners. We would be pleased to provide additional information about the concepts addressed in these comments; please direct any questions to Coleman Mehta, Senior Director, U.S. Policy Redacted.
Cloud Deployments Must Include Security Requirements for Mission Owners in addition to Cloud Service Providers. Cloud Smart’s security focus is a good initial step, but it must further underscore the shared responsibility between mission owners and cloud service providers that ensures security is considered comprehensively. While cloud service providers secure cloud infrastructure, mission owners secure their data across all environments – across networks, endpoints, on-premise data centers, multi-cloud infrastructure, and within a single public or private cloud service provider. Contract requirements that mandate infrastructure security do not obviate the need for requirements and resources also addressing the important security capabilities that mission owners use to fulfill their responsibilities; including requirements for both in procurements provides needed clarity for all parties without penalizing bids for adding cost and complexity outside of scope. A higher level of orchestration and integration is needed to effectively secure enterprises against cyber risks. Agencies should be expected to ensure that consistent policies for accountability, visibility and security are executed and measured across all data sets, no matter where they reside. Agencies must also be able to consistently monitor their security posture while maintaining the ability to automatically generate situational awareness across all of their network environments. Agencies should be held accountable for delivering the same level of reporting required by the Continuous Diagnostics & Mitigation program for all their cloud-based assets even as those assets have shifted from on-premise to off-premise cloud environments. Cloud Smart rightly focuses, moreover, on modernization of the Trusted Internet Connections (TIC) and Continuous Diagnostics and Mitigation (CDM) programs. Current program requirements do not provide effective network infrastructure security. As these programs modernize, they must incorporate new security technology evolutions and the flexibility to identify, test and adopt those innovations, such as a zero-trust model of security enforcement points within and throughout modernized infrastructure down to the endpoint. Acquisition Practices Must be Better Aligned to Mission Needs, Through Operational Testing and Leadership Accountability. Cloud Smart seeks to harmonize traditionally stovepiped stakeholders in the government, including the acquisition community. In particular, the strategy’s call for procurement contracts to include security requirements is important, but could be bolstered by considering accountability and incentive models for procurement officials oriented towards strong security and risk reduction to the agency. The current risk structure for contract officers does not map to the risk of the enterprise, often leading to lowest cost, technically acceptable bids that minimize protest risk, rather than focus on quickly putting the best performing tools in the hands of mission operators. One mechanism for addressing this procurement misalignment is expansion and greater use of real-world operational testing and evaluation programs for security technologies, rather than a reliance on static requirement checklists. Both the defense community and civilian agencies are starting to utilize more effective operational testing, which should become a scaled model. Contracting and procurement officials should be accountable and incentivized under Cloud Smart to reinforce the requirement in Executive Order 13800 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure) that holds agency heads accountable for managing the cyber risks of their enterprises. Agency heads can meet the Executive Order’s accountability obligations by ensuring effective, independently-evaluated security requirements are built into procurement contracts, thereby aligning the incentives and responsibilities of contracting and acquisition professionals to directly support the mission owners.