As covered by MeriTalk: The Cloud Safe Task Force—comprised of four nonprofits: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the IT Acquisition Advisory Council—held its fourth meeting to discuss how to achieve greater authorization-to-operate reciprocity in cloud security practices.
Task force members explained during a Nov. 13 ATARC event that among current security control frameworks in the cloud service industry, reciprocity does not exist.
This means cloud service providers may have a single control that has to “be assessed and reassessed up to 12 or more times because of the multiple frameworks they have to assess to,” according to Mari Spina, a senior principal cybersecurity engineer at MITRE.
For instance, Spina said there is the General Services Administration’s Federal Risk and Authorization Management Program and the Cybersecurity Maturity Model Certification Program within the Department of Defense. Additionally, many federal agencies have their own Federal Information Security Management Act implementation requirements.
Industry also has a host of frameworks, such as the CSA’s Security, Trust, Assurance, and Risk, among multiple international ones.
“These are all, in some cases, separate, different assessors using different controls and writing different reports. So, it’s a big cost driver,” Spina said. “I believe that if we can successfully tackle this, we save the industry, the government, and the cloud provider a ton of money.”