Public Sector Innovations
Notable sites running on Federalist include the Department of Homeland Security’s cyber.dhs.gov, the Interior Department’s revenuedata.doi.gov, the Education Department’s collegescorecard. ed.gov, the General Services Administration’s vote.gov and the White House’s opioids.gov.
PROJECT: FedRAMP Tailored General Services Administration
Secure SaaS, accelerated
The Federal Risk and Authorization Management Program is a linchpin of the government’s ability to move to the cloud in a secure and compliant way. The FedRAMP process itself, however, can be dauntingly long and expensive for cloud service providers and agencies alike.
Enter FedRAMP Tailored. This abridged set of security controls for low-risk cloud services debuted in late 2017 and has already slashed the cost of an authorization by 50 percent to 75 percent. And it allows the process to be completed in as little as a month.
Not every cloud service can take
the Tailored approach, of course, but
any number of surveying, calendaring, collaboration and other workflow tools
are strong contenders. By letting agencies independently validate certain security requirements, FedRAMP Tailored trims the number of validated controls by threefold relative to a “standard” FedRAMP baseline. As a result, it is easier for agencies to use the cloud tools everyone else is using.
PROJECT: High-Fidelity Adaptive Deception and Emulation System
Sandia National Laboratories
Turning the tables on
hackers
Sandia National Laboratories’ primary mission is securing the nation’s nuclear arsenal, which faces very real threats. The labs’ networks experience 1.5 billion cyber events a day, ranging from incorrect password entries, phishing and malware attacks, and more serious nation-state activities, said John Zepper, Sandia’s director of computer and networking services.
In response, Sandia officials developed the High-Fidelity Adaptive Deception and Emulation System (HADES) to go beyond a traditional honeypot and use cutting- edge technology to give its operators the opportunity to run sting operations on the people trying to break into their systems.
Although HADES’ deception environments are isolated from Sandia’s host systems and data, designers spent a lot of time making it look like the real thing. Vince Urias, a cybersecurity researcher at Sandia, said they make up intricate profiles “for admins and engineers and the folks who are working 9 to 5 and those who work 12- hour shifts and take lots of coffee breaks.” Those “users” all have records with recently downloaded files, browser histories, varying uptimes and other small details that mimic authentic network behavior.
Those details and imperfections give the environment a lived-in feeling that keeps attackers engaged longer and lets operators monitor their behavior, develop signatures and implement adaptive countermeasures in real time.
“Think about robbing a house: If you walked into a house and everything
was perfect and clean and there was no information, what would you do?” Urias said. “When an adversary comes in, they’re there to do something — to steal information or break things. If they can tell
it’s a facsimile, if there is no depth to the information, at some point the adversary doesn’t want to interact with that system.”
Furthermore, HADES is designed to pull certain information from a network in order to replicate it as quickly as possible, which means it is adaptable for use by others. Urias said Sandia has patented the system and plans to license it to other government agencies and external organizations in the future.
PROJECT: HSIN Cloud Migration Department of Homeland Security
‘Cloud smart’ on a
massive scale
Moving a mission-critical system to the cloud might not require the same precision and attention to detail as launching a satellite into Earth’s orbit, but it’s probably close.
The Department of Homeland Security recently migrated its mission-critical networks to Amazon Web Services’ GovCloud, and it had to ensure that it didn’t drop any of those networks’ 100,000 users in the process. Even a small failure could have had a huge impact on national security and commerce.
As part of that effort, the Homeland Security Information Network (HSIN) became one of the first high-integrity, high- confidentiality, high-availability systems
in the federal government to move to a commercial cloud. By doing so, DHS avoided the complexities of a hybrid model and positioned itself to take advantage of new features and scale faster to meet ever-shifting agency needs.
The carefully planned migration to HSIN was completed in 2017, but DHS continues to expand the operation. It has added backup operational capabilities and implemented a continuous integration and delivery pipeline for users that facilitates shorter maintenance and upgrade periods.
Most of that work is invisible to the end user, but the benefits are being felt across the department.
30 November/December 2018
FCW.COM