As we approach the end of the federal government fiscal year, it's a good time to review the legislative and policy landscape. Several updates and changes have recently arrived or are already in motion regarding cloud security and data resilience.
The Legislative Branch: An Increased Focus on Cloud Security
On the legislative front, both the House and Senate Armed Services Committees were particularly attentive to cloud security in their versions of the fiscal year 2024 National Defense Authorization Act (NDAA). In the House committee’s report, they rightly call for the Department of Defense to ensure they effectively leverage the commercial sector as they expand their enterprise cloud effort in the form of the Joint Warfighter Cloud Capability (JWCC).
In part, the committee recognized that to achieve the most secure enterprise cloud, DoD will have to leverage commercial capabilities, writing:
“[T]he private sector can offer capabilities for advanced continuous cyber threat hunting, identity threat protection, and robust cyber threat intelligence. The committee expects that the Department will continue the rapid pace of progress in implementing cloud capability while simultaneously working arduously to mitigate risk to data and operations.”
Full Visibility and Real-Time Threat Response With a Single Security Management System
One needed capability would be a commercial-off-the-shelf security information and event management (SIEM) for effective network security. This capability provides a single security management system that offers full visibility into activity within Department of Defense networks, thus allowing Security Operations Centers to respond to threats in real time. As the DoD continues to increasingly transition to a software-as-a-service model, security must remain a key consideration in moving to the cloud in accordance with Congressional direction. A SIEM capability would also align nicely with the security orchestration and automated response (SOAR) pilot activity that was directed in the National Defense Authorization Act for fiscal year 2022.
Expanding SOAR Capabilities To Reduce Risk
Speaking of SOAR capabilities, the Senate’s committee report accompanying this year’s bill also directed its application to the Joint Force Headquarters-Department of Defense Information Network (JFHQ–DODIN) expansion of internet operations management (IOM). The Committee noted that:
“[T]he additional network visibility this capability provides can most meaningfully reduce risk if it is seamlessly integrated with a state-of-the-art security orchestration and automation capability deployed in the services’ and U.S. Cyber Command’s big data platforms.”
The Senate requested to be briefed on plans for expanding the use of SOAR throughout the DODIN, including any required resources for completing the expansion. Perhaps the Command Cyber Operational Readiness Inspection (CCORI) process could measure the success of SIEM and SOAR applications across the DODIN. In their version of the bill, the Senate Armed Services Committee also calls into question the Department’s approach to cloud security. Their version Section 143 calls for the Pentagon’s Chief Information Officer to provide a report to the defense committees on the use of enterprise-wide contracts for cybersecurity tools. If enacted in the conferenced NDAA, DoD will have to provide information pertaining to the risks and benefits with utilizing enterprise-wide tools from a single vendor, and future planning for contract recompetes.
Scalable, Modern Environments via the New Splunk and Microsoft Azure Partnership
This has notable implications for cloud security, specifically. A great example that could potentially alleviate Congressional concern would be the recently announced strategic partnership between Splunk and Microsoft. This partnership allows for Splunk’s cloud solutions to be built natively on Microsoft Azure, which could allow the Department of Defense to migrate, modernize and grow their environment with end-to-end cloud and hybrid visibility at scale.
The Executive Branch: Implementing a Data-Centric Architecture
Pivoting now to the executive branch, the Director of National Intelligence recently released the updated Intelligence Community Data Strategy 2023-2025. It follows similar themes of the DoD Data Strategy that was released in 2020. Most noticeably, it calls for a shift from a system-centric mindset to that of data-centric:
“To make data more interoperable, the IC will implement a data-centric framework that shifts the current focus from a system-centric to a data-centric architecture. A data-centric architecture assures that the primary functional role of an IT architecture enables secure and timely discovery, analysis, production, and dissemination of data to enhance the effectiveness of the intelligence lifecycle. Data-centric principles ensure that IT architecture considers the data management lifecycle from point of acquisition through exploitation until disposition.”
The Strategy also calls for leveraging the capabilities of the private sector and academia, which should help pave the way for successful implementation over the coming years.
Revisiting the Defense Department’s Zero Trust Strategy
Although it has been in place for several months, it’s worth noting the Defense Department's Zero Trust efforts. With the release of the DoD Zero Trust Strategy in November 2022, DoD took its latest step in its efforts at data security. As DoD CIO John Sherman wrote in the forward to the strategy, “This ‘never trust, always verify’ mindset requires us to take responsibility for the security of our devices, applications, assets, and services; users are granted access to only the data they need and when needed.”
In recognition of what it takes to sustain a zero trust approach, he continued later in the forward by noting “The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions and processes across their architectures, systems and within their budget and execution plans.” I am looking forward to seeing how the Department executes the planned Zero Trust Roadmap over the coming months.
Splunk helps over 900 higher education institutions, three branches of government and 48 of the 50 largest U.S. cities build resilience. Reach out to learn what you can do with Splunk.