The Centers for Medicare and Medicaid Services are in the midst of an ‘all-out assault’ to streamline how they approve software and app security, and the agency is modeling its approach on the Air Force’s ‘Platform One’ , according to its chief information security officer.
CMS CISO Robert Wood said the agency is dealing with the “heavy friction” of slow-to-operate authority processes and other security policies from multiple angles.
“We’re not going to solve all of our problems with one big project,” Wood said during a Feb. 18 webinar hosted by the ACT-IAC Cybersecurity Community of Interest. “Rather, we’re going to attack him from multiple sides and kind of swarm around him.”
Wood said the initiative has taken on added urgency as CMS is at the center of national initiatives to respond to COVID-19, the opioid epidemic and other health crises.
“We need to be able to change as an institution in healthcare faster and more stably than ever before,” he said.
The agency’s first major effort, he said, centers on a “rapid ATO” process to help application development teams build their system security plans more quickly. CMS uses reusable control descriptions and pre-written control statements for approved technologies, like identity management, so teams don’t have to start their ATO with a blank slate every time.
Ultimately, Wood said CMS wants to incorporate software bills of materials and other asset identification tools into the process “where we can automatically identify the components of a system and then pre-populate a lot of those things for you. “.
A second related effort is to develop a platform as a service for CMS software development. Wood said the agency models its efforts on “Platform One,” the Air Force’s enterprise software development environment.
“We’re not trying to deploy Kubernetes and containers on submarines or airplanes while they’re in the air,” Wood noted. “So we have a lot of flexibilities that they don’t have in terms of how we do deployments.”
Like Platform One, Wood said CMS builds its platform on top of the open-source Kubernetes container orchestration system.
He said CMS has established a “working prototype” of the software development environment, and he expects it to reach the “minimum viable product” stage within the next two months with two applications running on it.
The idea is to integrate the rapid security assessment process into the development environment, allowing teams to deploy new versions of software more quickly.
“There are a lot of teams at CMS that are stuck in this monthly or quarterly rollout place, and that’s a good thing for them,” he said. “There are teams that deploy daily. But that’s not the norm right now. This is the exception, and we hope to be able to reverse that.
With the current process, he said, speed is not incentivized in many ways.
“Continuously deploy your application, continuously improve your application, which doesn’t really happen because change is seen as a bad thing, because you have to do security impact analyses, maybe you have to even going through a new ATO if you’re redesigning things in a meaningful way,” he says. “There’s this whole compliance process that ends up becoming the focus of development teams, which isn’t certainly not where we want people to spend their time and energy.”
Wood said CMS was also trying to reform its security operations in a bid to streamline an approach he called a “bottleneck” for development teams trying to access data to patch systems, respond to incidents and perform other critical functions.
“We are building on a data lake platform,” he said. “We use it as our only source of truth, because we can create really, really rich governance rules around access and reporting.”