Weekly Wrap-Up
Week of August 16, 2021
Federal Government Updates
FedRAMP's Doing Well But There's Room for Improvement
(Washington Technology) If we were issuing a “report card” on the adoption of Federal Risk and Authorization Management Program (FedRAMP) cloud service offerings, we’d likely conclude in a summary statement that there has been “promising progress so far, but there’s much room for improvement.”

FedRAMP was launched in 2011 to establish a cost-effective, risk-based, standardized approach for the adoption and use of cloud services by the federal government, with an emphasis on technology modernization and security. Either agencies or the FedRAMP Joint Authorization Board (JAB) can grant sponsorships required for cloud service providers (CSPs) to receive Authority to Operate (ATO) or a Provisional Authority to Operate (P-ATO). To be considered for FedRAMP ATO or P-ATO, CSPs work with an accredited Third Party Assessment Organization (3PAO) to complete a readiness assessment and/or a full assessment of its offering.
NIST's OSCAL Helping to Speed Up FedRAMP Approvals
(MeriTalk) The Federal Risk and Authorization Management Program (FedRAMP) authorization journey can sometimes be a confusing one to navigate, but experts agree that the National Institute of Standards and Technology’s (NIST) Open Security Controls Assessment Language (OSCAL) formats are helping to speed the FedRAMP approval process.

OSCAL is a common machine-readable language that FedRAMP and NIST are using to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products. FedRAMP and NIST announced the release of version 1.0.0 of OSCAL in June.
FedRAMP Chief: Agency Cloud Demand Jumped 60 Percent in First Half of FY2021
(MeriTalk) Federal agency demand for cloud service products in the General Services Administration’s (GSA) FedRAMP marketplace showed a 60 percent year-over-year jump in the first half of Fiscal Year 2021, as agencies continued their move to cloud services in order to deal with pandemic-driven tech needs and IT modernization priorities.

The Federal agency demand picture for cloud services was one of the main takeaways from an address by Acting FedRAMP Director Brian Conrad at an August 18 event organized by FCW. He also covered FY 2022 program goals and spoke at length about the importance of putting additional automation technologies in place.
FISMA's a Fizzer, Says Cisco, and Calls on Congress to Get Cyber Security Policy Right - Pronto
(The Register) A senior Chief Information Security Officer (CISO) advisor at Cisco has penned a commentary on the state of US cybersecurity frameworks, criticizing current government infosec and advocating for more autonomy for CISOs and a better understanding of the task at hand from those creating policies.

"After nearly two decades of federal cybersecurity and risk management as practiced under the rubric of the Federal Information Security Management Act (FISMA) of 2002 and the Federal Information Security Modernization Act (also FISMA) of 2014, billions of dollars in appropriated federal cybersecurity funding have not appreciably improved the overall situation," wrote Bruce Brody.
A Cybersecurity Stop Sign: CISA Introduces Bad Practices
(Forbes) Cyber hygiene. It’s a term we’ve been using for years to reference a set of best practices for improving cybersecurity across the public and private sectors alike. Yet with all of the talk about best practices and investments in satisfying security controls, the Department of Homeland Security (DHS) has done an about-face with the Cybersecurity and Infrastructure Security Agency’s (CISA) recent introduction of Bad Practices. In a classic parenting move, CISA has focused on eliminating worst practices before investing in best practices. And since cyber hygiene and security best practices continue to fail year after year, what’s the harm in turning our approach on its head?
Commerce Department Developing Massive IT Services Contract
(Nextgov) The Commerce Department is building a new IT contract to be used at every level of the agency, with an eye toward making the department “recognized as a leader” in federal technology.

The department as a whole looks to complete a technology refresh every three to five years, though that has generally been cost prohibitive, according to a request for information posted to SAM.gov.

With the new Commerce Acquisition for Transformational Technology Services, or CATTS, enterprise contract, the department is looking at as-a-service IT options in the hopes of lowering future upgrade costs and to “position itself to meet the strategic goals, deliver its mission and be recognized as a leader within future administrations and the federal enterprise in its use of information technology,” according to the performance work statement.
Industry News
What In-House Counsel Need to Know About "Reasonable" Data Security Measures
(Reuters) Despite its increasingly common use, the standard of “reasonable” security measures leaves many businesses leaders and their legal counsel puzzled by its purpose and meaning. Policymakers generally use reasonableness as a way to balance their protective goals with everchanging technology and cyber threats by both establishing baseline risk-based program and safeguards requirements and setting expectations that organizations maintain appropriate diligence as the situation evolves.

Business-to-business relationships use a similar approach when setting contract terms across interconnected businesses and supply chains.
Facebook to Build $800M Data Center in Metro Phoenix
(The Hill) Facebook announced Thursday that it will invest $800 million to build a data center in Mesa, Ariz., the company's first in the state. 

The facility, which will operate largely by solar power, is set to be completed in about two years and will house routers, switches, servers, storage systems and other equipment, according to the Arizona Republic.

In addition, Facebook said the new building will use 60 percent less water than the average data center, according to The Associated Press

A spokesperson for the tech giant, Melanie Roe said that construction is starting now and will last a couple of years, according to the Republic. The facility, when fully functioning, will employ culinary staff, engineers, security and technicians among other workers.
China Sets Out New Rules to Protect 'Critical Information Infrastructure' as it Bolsters Data Security Push
(South China Morning Post) China has set out special rules to put companies in the telecoms, energy, transport, finance and defence sectors under closer cybersecurity scrutiny as Beijing seeks to tighten its control of domestic data.

The new regulations, released by the State Council on Tuesday, provide more clarity on Beijing’s thinking around ensuring its critical information infrastructure, a term included in China’s Cybersecurity Law but which lacks specific guidance.

The new articulation comes as Beijing seeks to build a data governance framework to ensure the security of what it deems as important data, putting limits on how businesses collect and use sensitive personal data, while encouraging the circulation of less sensitive data to unleash its economic value.
If you would like to have your story featured in ADI's Member News, please contact ADI's Policy & Communications Manager, Jaishri Atri.
Questions? Inquiries? Please e-mail: info@hq.alliance4digitalinnovation.org