Gary Griffiths | Federal compliance rules blunt new tools
Another View | Guest commentary: On-demand services create a new need for software compliance
- By Gary Griffiths
- Aug 10, 2007
For federal government information technology managers, there is perhaps no more important issue than security. Even for experienced suppliers, federal security regulations and controls are complex and extensive.
The advent of software-as-a-service (SaaS) applications, where government pays to use software instead of paying to own it, however, has raised new questions about security and compliance.
On-demand services have proved to be cost-effective, scalable and innovative. But if the government does not own the software, how can IT managers be sure it is secure?
Part of the problem is that current accreditation and certification processes are targeted at internal government networks and the integrators who traditionally build and maintain those systems. The policy for private companies offering SaaS solutions, an emerging field, is ambiguous at best.
Service providers such as SalesForce, RightNow and WebEx, which I lead, are adapting to meet government security requirements. Last year, for instance, WebEx asked a data security auditing group, to conduct an independent risk-assessment audit of our infrastructure. We want WebEx systems to be certified and accredited to meet all federal standards, regulations and controls in accordance with the National Information Assurance Certification and Accreditation Process.
NIACAP compliance is not required for on-demand service providers, and obtaining it is expensive and slow-going. Yet we are seeking it voluntarily and expect to be among a select few SaaS companies to complete this step. Why?
The answer is simple: Government security managers look suspiciously at any company that lacks it, especially on-demand providers that are relatively new to the marketplace. As difficult as NIACAP compliance is to obtain, not having it means not being competitive in the federal market.
Current policy by default favors large integrators who build new systems from the ground up. And to be frank, this works to the disadvantage of government. Large integrators are being forced to build new products under dedicated government infrastructures that compete with or replicate commercial products.
However, building these systems contradicts the Defense Department's innovative new policy of 'ABC': adopt available technologies first, buy second and create last. Although DOD might aim to decrease its dependence on bottom-up, on-premise solutions, the ABC policy is challenging in practice without an efficient process by which responsible companies offering commercial, on-demand applications can comply.
And NIACAP compliance is only the beginning. There is an alphabet soup of compliance, certifications and attestations that follow: Common Criteria, the Federal Information Security Management Act, Federal Information Processing Standard-140, DIACAP, DITSCAP and the Office of Management and Budget's Circular A-130. One of them costs more than a million dollars and takes more than a year to complete. Even for software and hardware giants who have the time and money, this is a tedious process. For smaller companies, the task is impossible.
Are the government's rules and regulations unrealistic? Not in the least. All of us in the technology industry understand the gravity of the IT security challenge and the vital necessity of protecting government data ' now more than ever. But federal regulations need to keep up with the times. New technologies are hitting the market every day ' and some of them are more efficient answers to yesterday's large integrators.Gary Griffiths is president of products and operations at WebEx, a division of Cisco Systems, and a former Navy officer.