GSA makes room at the table for the CISO
Connecting state and local government leaders
A new IT policy letter from the GSA’s CIO aims to ensure that the agency’s senior security officer is a part of all IT projects, not just brought in after the fact to monitor compliance.
The General Services Administration has spelled out a new policy for agency IT projects to ensure that basic principles promoting economy, efficiency and transparency are integrated into technology solutions developed for or operated by GSA.
Included in the IT Integration policy issued July 24 are requirements that cybersecurity be incorporated into IT projects from the beginning and that the appropriate security team has a place at the table during planning.
“One of the largest challenges for GSA IT is early and consistent engagement with the IT security team throughout the project to understand what security requirements apply, who needs to be engaged to assist in implementation and how this impacts the project schedule,” agency CIO Sonny Hashmi wrote in the instruction letter.
With the cyber threat landscape growing in intensity and sophistication, security no longer can be layered on in IT projects as an afterthought, Hashmi explained in a blog post. “This principle will require that the GSA Office of the Chief Information Security Officer acts as a consultant and partner throughout the project life cycle, rather than being viewed as a compliance step towards the end of the project,” he wrote.
Hashmi also spelled out another principle that could help significantly improve cybersecurity: platform reuse first. That is, GSA will give priority to leveraging existing platforms for new services over building new systems.
Cybersecurity is just one part of the new GSA directive. It also includes compliance with the federal cloud-first policy and requirements for a GSA open-source-first policy as well as for single sign-on, online delivery of services, records management and better stewardship of procurements.
But I am focusing on the security requirements. IT security has been designated by the General Accountability Office as a high-risk area for all executive branch agencies since 1997 and has remained so since. This is not so much because there has been no improvement in security, but because government dependence on IT continues to increase as the systems become more complex, making it difficult for administrators to keep up with security requirements.
Ensuring that security is included from the earliest stages of planning and development could help change this. Reusing existing platforms to reduce the number of new projects being developed also could improve security by allowing administrators to concentrate on a smaller number of legacy systems with a known security profile. Expanding the use of existing platforms does not guarantee their security, of course. Expansion and repurposing will require new evaluations and new controls to make sure they meet risk management requirements. But if done well, this could be more efficient that constantly bringing new systems online.
The new policies apply to all new GSA projects, regardless of size, to all enhancements of existing systems that are over the $150,000 threshold for simplified acquisition and to any cloud acquisition or blanket purchase agreement regardless of value. Failure to follow policy could result in project termination.
Like any policy, GSA’s IT Integration policy could devolve into a morass of paperwork and checkboxes that achieves little or nothing. But if the new policy cuts through existing bureaucracy rather than add new layers, it could be a step toward improving the agency’s cybersecurity.