Securing and Monitoring Government Data Repositories: The Impact of the CMMC

If you work in a federal agency, know that data protection is on your shoulders—not those of your cloud provider. In this article, VP Brandon Shopp offers tips on ensuring your data is secure, even within a large cloud-based repository.

As cloud-based data repositories continue to expand, so do their security challenges. Part of the problem is these repositories often rely on data from various cloud providers. One example is the repository used by federal agencies to keep track of contractor compliance for Cybersecurity Maturity Model Certification (CMMC). There are many others throughout all levels of government.

Agencies are responsible for protecting the data held in these repositories. Cloud providers only guarantee the infrastructure; cybersecurity is the responsibility of agencies themselves. Agencies must take proactive measures to do whatever is necessary to secure and monitor their data repositories.

Let’s start by looking at disaster recovery and backups. As a best practice, agencies should consider implementing the 3-2-1 rule for backups to ensure post-incident recovery. Adhering to this rule requires maintaining at least three copies of important datasets over at least two different types of media, one of which should be stored offsite and preferably offline, hence the term “3-2-1 rule.”

Rotating media storage components (disks, tapes, storage locations, etc.) for local storage adds a layer of protection, as offline media backups can be used for recovery if online media has been corrupted by malware.

Storing sensitive agency data on a cloud service provider’s platform demands stringent security and monitoring tools. One method employs an automated vault for this information, either using the cloud service provider’s existing management tools or a product provided by an independent third-party software vendor.

In addition to backup and vault technologies, federal IT portfolios commonly employ log and event aggregators—also known as security information and event management (SIEM) tools—and privileged access management (PAM) tools for their systems and environment. A SIEM tool can give the team insight into the baseline usage, so anomalous behavior and access are more readily identifiable. PAM tools can provide privileged users with one-time passwords to temporarily give the user access rights for performing routine tasks requiring stringent security controls.

Authentication should be further hardened by enforcing a secure password policy for all users, privileged and otherwise. Employ a password manager to ensure hardened passwords are readily accessible to your users and they aren’t forced to rely on memory or sticky notes.

As agencies migrate data repositories and applications to the cloud, federal IT professionals need to secure a larger and more amorphous perimeter. Applying existing tools and best practices, accompanied by changes recommended by bodies charged with oversight, will best protect agency data while providing the secure access end users require.


Read the full Government Technology Insider article here.

Thwack - Symbolize TM, R, and C