The Integrated Data Exchange Program

Transcription

1 From Stovepipes to Secure Exchanges An Integrated Approach to Protecting Shared Federal Data by Greg Brill Khurram Chaudry

2

3 From Stovepipes to Secure Exchanges An Integrated Approach to Protecting Shared Federal Data Growing and pervasive threats have compelled the US Federal Government to consider cost efficient yet effective risk management principles to determine whether non-federal entities (exchange partners) have adequate security in place and should be allowed to receive sensitive information from federal agencies. The Integrated Data Exchange Program The Challenge The demand for data sharing between federal agencies and state and local governments is skyrocketing but so is the danger that the data will be compromised. Identify theft involving the fraudulent use of government documents and benefits is growing at an exponential rate. More than half a billion records with the personally identifiable information (PII) of US citizens have been lost or stolen from government and corporate databases. Though government agencies are struggling to make their systems more secure, they are hampered by budget cuts, and an increasingly complex compliance and technical environment. A lack of integration of government data exchange programs not only greatly increases the risk of data breaches, but can lead to other serious issues such as costly redundancy, resource stress, and inefficient use of federal funds. The Solution Booz Allen Hamilton s Integrated Data Exchange Program (IDEP) a secure, total-enterprise risk management, and compliance and governance framework, addresses all of these issues. It represents a shift from traditional stove-piped data security and compliance to a modern, holistic approach that is far more efficient and effective. Key Benefits of IDEP include: Cost savings through standardized compliance activities that reduce redundancy Improved compliance by promoting a federated data-sharing environment that is interoperable, transparent, and compliant with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) regulations Increased data security and privacy through better and centralized federal data management, continuously monitored operational risks, and prioritized resource allocation based on risk Increased exchange-partner customer satisfaction by streamlining reporting requirements and eliminating the need for exchange partners to make multiple corrections to the same security issues Coordination and oversight by establishing an oversight committee of stakeholders to collaborate on emerging problems and solutions, or a champion federal agency. Relevant and Proven Expertise Booz Allen has established and maintained regulatory compliance programs throughout the federal government, and has supported data exchange programs at various federal agencies, including the IRS and the Social Security Administration (SSA). Booz Allen has also developed an enterprise-wide IT security program for Health & Human Services (HHS), and has an ongoing partnership with NIST to produce information security guidance materials. 1

4 Overview of Data Exchange Challenges As Exhibit 1 illustrates, many federal agencies provide sensitive data to multiple exchange partners, including state, local, and tribal governments, healthcare providers, and other private organizations. The data sharing is necessary to fulfill legislative and missionbased requirements, such as determining qualifications for social assistance programs, verifying Social Security numbers and other personally identifiable information (PII), and collecting revenue for individual states. Once transferred, the federal data resides on the exchange partner s information systems, but the federal agency remains the data owner and is required to maintain adequate oversight over how the partner protects the information. Key Federal Data Exchange Stakeholders OMB NIST Federal agencies State and local governments Tribal governments Other institutions Inspector General and other audit communities Exhibit 1 Current Data Exchange Process Other Federal Agencies Sample Federal Agencies Sharing Data AGREEMENT AGREEMENT AGREEMENT AGREEMENT AGREEMENT IRS REQUIREMENTS SSA REQUIREMENTS HHS REQUIREMENTS VA REQUIREMENTS OTHER FEDERAL AGENCY REQUIREMENTS Federal Agency-Specific Requirements and MOU for Data Sharing Compliance Activities Health Provider Tribal Governments State Governments Approximately 50 State Governments and Territories Local Governments Other Academic Institutions, Insurers, Researchers, Suppliers, etc. SUMMARY FINDINGS Sample External Entities and Associated Compliance Reports Source: Booz Allen Hamilton 2

5 The oversight function ensures that: Security requirements are strategically aligned with program mission goals and objectives Risk-based trust levels assigned to data exchange partners are supported Exchange partners are assessed in accordance with established security requirements. Similar efforts are underway for secure health data exchanges (e.g., Health Information Exchange (HIE) workgroup). 1 However, significant and immediate efforts are needed for all other federal data exchanges, and this is what IDEP targets. The current federal data exchange process presents a variety of challenges to the government and its exchange partners. The following are examples of eight key issues and their impact. Redundancy Federal agencies that share data with exchange partners have separately established compliance programs to meet legislative requirements. These data-share programs have distinct sharing mechanisms (both electronic direct information system connections, file sharing protocols, or media, such as tapes and non-electronic), data exchange agreements (Memoranda of Understanding (MOU)), requirements sets against which to measure compliance, compliance reports, periodic assessment schedules, and related activities. Impact: These disparate operating models, with no intra-agency or central reporting mechanisms, create redundancy across all data exchange program activities, resulting in inefficiencies and increased security costs. For example, various state and local agencies (e.g., human services, social services) receive federal agency data extracts for the State Income Eligibility Verification System (IEVS) from both the IRS and the SSA. The state leverages the data to determine its residents eligibility for the Federal Temporary Assistance for Needy Families (TANF), Food Stamps, and Medicaid programs. Both the IRS and the SSA perform a separate assessment (though the data is used in a consistent manner) of their exchange partners and each agency s requirements are different. Therefore, each exchange partner must dedicate its operational staff to support each assessment effort and implement corrective actions. According to a gap analysis performed by Booz Allen, the compliance requirements of these two federal agencies have significant overlap (approximately 90 percent partial or full). Areas of overlap include Access Control and Audit Enforcement. Integrating the IRS and SSA data exchange systems creates the potential for a significant cost savings. Increasing Demand The demand for federal electronic data exchange services is growing as increasing numbers of exchange partners request existing and new types of data extracts. This intensifies the level of service required of federal agencies. For example, the IRS exchanges Exhibit 2 Incidents Reported to US-CERT Number FY FY FY08 Source: United States Government Accountability Office, Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk. May 5, For further information on health data exchanges, read the Booz Allen publication, Stemming the Rising Tide of Health Privacy Breaches, available at 3

6 data with more than 360 partners, and the SSA has more than 3,100 data sharing agreements, resulting in billions of records being transferred each year. Impact: Increasing use of resources, including funding and manpower. Data Breaches The Federal Trade Commission reports that the second most commonly reported type of identity theft involves the fraudulent use of government documents and benefits. The US Computer Emergency Readiness Team reported a 206 percent increase in federal computer security incidents from FY2006 through FY2007 (see Exhibit 2 on previous page). More than 500 million records containing the PII of US residents stored in government and corporate databases have either been lost or stolen. Sensitive data leaks are likely to rise as the number of discrete data exchanges increases. As Exhibit 3 shows, the cost of a data breach in 2008 was $202 per compromised record, up 2.5 percent from the $197-per-record cost in With compliance requirements and the technical environment becoming more complex, government agencies continue to struggle to identify and eliminate every security risk. Impact: Compromised citizen data, legal liabilities, and a negative reputation for affected government agencies. Reduction in Funding Government is constantly challenged to do more with less money, and budgets are being cut at the agency level, particularly during the current recession. States, in particular, are being hit hard. In the summer of 2009, for example, California state employees were required to take a third day off without pay each month. These types of cost cutting measures make it more difficult for states to spend the money needed to keep federal data secure. Impact: OMB may be faced with expanded budget requests from individual agencies seeking to keep pace with the increasing costs of protecting federal data. Exhibit 3 Average Per-record Cost of a Data Breach, $250 $200 $182 $197 $202 $150 $138 $100 $ Source: Ponemon Institute, 2008 Annual Study, Cost of a Data Breach: Understanding Financial Impact, Customer Turnover and Preventative Solutions (US Study), February,

7 Lack of Standardized Security Requirements Currently, there are no consistent or comprehensive requirements that apply to all exchange partners as recommended by NIST at the federal or state level. In addition, the application of security principles varies because of disclosure, privacy, and Health Insurance Portability and Accountability Act (HIPAA)-related laws and regulations. In addition, individual federal agencies continue to revise their requirements to keep pace with changing technology. All of these circumstances make compliance and security moving targets, while creating wider gaps between the compliance programs of various federal agencies. Impact: It is difficult to consistently enforce federal data protection requirements. Some essential security controls may be overlooked. Changing Technologies A recent trend in data exchange is an increase in electronic data transfers, rather than the physical exchange (mailing) of data on magnetic tapes. Additionally, as a growing number of legacy applications are retired, they are being replaced with more modern and complex applications, including many that are Web-based. Federal staff must be provided with the expertise to analyze the security of modernized technologies in the use of data exchanges. As noted by the GAO, more agencies are requesting online access to SSA s records (rather than receiving data through batch processing); providing and supporting online access generally requires more extensive compliance reviews than does batch processing. Impact: This adds complexity to protection of federal data. Lack of timely attention to changing technologies and absence of adequate security measures could result in unauthorized disclosure of federal data. Data Exchange Tracking As more exchange partners receive different types of federal data extracts, tracking the shared data becomes increasingly challenging for federal agencies. Because each agency has a complex data sharing environment, some with technological or resource deficiencies, it can be difficult to maintain a comprehensive inventory of data extracts that are shared with exchange partners. Impact: The federal government may have limited control over the data exchanged. Risk Prioritization Federal agencies are increasingly expected to better align resources to address high-priority risks. As a result, they need to gain an understanding of current data exchange risks, as well as new requests for federal data, then concentrate budget spending on areas deemed to have a higher risk. Impact: Failure to make this risk alignment makes it more difficult to focus resources on higher risk areas or particular exchange partners. Resultant data loss or unauthorized disclosure would require additional spending for corrective measures. The IDEP Solution for Data Sharing The Integrated Data Exchange Program (IDEP) is an innovative, securely managed, and compliant data exchange environment within a total compliance and governance framework. When based on serviceoriented architecture (SOA), it provides centralized secure federal data exchange services in accordance with Federal Enterprise Architecture (FEA) concepts. The purpose of the IDEP is to gain efficiencies and standardization in not only the compliance activities but also the actual data exchange itself, which can be accomplished by integrating all federal data exchange programs using an automated system and an oversight committee (see Exhibit 4 on next page). Streamlining the government s various data exchange programs into one centralized IDEP will empower it to deal with the 5

8 next-generation challenges in securing federal data held by exchange partners. One of the initial steps that can be taken prior to implementing the IDEP is a business case analysis to help determine the overall feasibility. By using the Value Measuring Methodology (VMM), federal agencies can calculate all of the qualitative and quantitative benefits that affect operations as well as exchange partners. In an IDEP environment, compliance costs are reduced as the government moves from a many-tomany relationship between federal agencies and Exhibit 4 IDEP Solution Other Federal Agencies IT Solution IT Architecture & Design IT Systems Development Integrated Data Exchange Program Compliance Solution Security Programs, Policy, and Compliance Security Architecture and Engineering Automated System Security/Privacy Compliance & Governance Oversight Board or Champion Agency Department of Motor Vehicles Health Provider Tribal Governments State and Local Governments Other Academic Institutions, Insurers, Researchers, Suppliers, etc. ONE PER ENTRY ONE PER ENTRY ONE PER ENTRY ONE PER ENTRY ONE PER ENTRY Source: Booz Allen Hamilton 6

9 exchange partners to a one-to-many relationship. The estimation of such cost savings can be used to determine the economic threshold for federal agencies to participate in the IDEP. In instances where federal agencies have a large amount of data exchange overlap, the benefits of participating increase. The analysis can be extended to cover the cost, benefit, and risk of leveraging an automated system to facilitate the IDEP solution. Use of an automated system will centralize the actual data exchange in addition to facilitating compliance-based activities. Collecting requirements, generating test plans, assimilating compliance results, conducting Plans of Action and Milestones (POA&M) reporting, and performing other continuous monitoring activities to manage operational risk to federal data are additional benefits. The Three Foundations of the IDEP There are three primary elements of the IDEP: An automated system of data exchanges and compliance activities Security/privacy compliance and governance An oversight board or champion agency. Automated System of Data Exchanges and Compliance Activities With an automated system, the IDEP operates at its most efficient and robust level. Such a system can be of particular value because it has the ability to: Facilitate data input to support compliance assessment activities, including exchange-partner inventories, requirements, and integrated schedules Serve as the authoritative source of records for the federal data shared with the external partners Be a single repository of all compliance-related data and documents, including assessment reports submitted by the partners. Government stakeholders may leverage the system to track POA&M resolution, obtain dashboard-based, partner-specific status and gauge prioritized risk areas in real time. Exchange partners can access the system 24/7 to report findings status, submit periodic safeguarding reports, and obtain partner-specific compliance to satisfy the requirements of their internal and external audits. More important, by centralizing the exchange of federal data the automated system allows the government to know what its inventory is and who it is sharing it with at all times. Security/Privacy Compliance and Governance The second foundation of the IDEP is the standardization of requirements, exchange agreements (e.g., MOUs), continued assessment activities, and reporting templates. With this element, the IDEP will streamline requirements to include applicable computer security, privacy, PII, HIPAA (if applicable), and disclosure principles. If IDEP is adopted, Booz Allen can collaborate with NIST and OMB to select the federal data exchange requirements that incorporate common and unique elements from all federal agencies that share data with external partners. As the demand for data exchange with the federal government increases, new entities can use this guidance to establish effective practices for implementing and managing safeguard measures for federal data exchanged with them. Using the central set of requirements, a single, comprehensive compliance assessment can be performed for each exchange partner. That assessment will address both the common and unique requirements of all federal agencies sharing data with that partner. Reporting content and format is standardized by establishing an extensible Markup Language (XML) reporting schema for automation. 7

10 The IDEP will develop a standard data exchange agreement (i.e., MOU) for federal agencies and external partners. The MOU can clarify each party s responsibilities with specific requirements, such as escalating and reporting breaches. The standard MOU will ensure uniform information is collected for each data exchange. Oversight Board or Champion Agency An oversight government body will be needed to spearhead the initiative. This body will not only monitor the activities performed under IDEP but will also provide it with leadership and direction. This oversight will ultimately help ensure that the IDEP mission and supporting objectives are achieved in a timely and effective manner. The oversight body can be one of the following: An oversight interagency committee with representation from each of the participating federal data exchange programs. The committee can be designed to act on behalf of the entire US federal government in the absence of a federal data exchange body. A champion federal agency capable of providing leadership and guidance on behalf of all federal agencies which have participating data exchange programs. The champion agency could leverage the existing Line of Business (LOB) concept whereby one organization is stringently evaluated and then trusted to perform a portion of other similar government organizations missions on their behalf. The overall goal of these or other solutions which may be proposed is to monitor, supervise, and control IDEP activities while promoting effective decision making. IDEP Benefits The IDEP will provide five major benefits. Cost Savings. Federal agencies can realize cost savings in fulfilling their legislative requirements to share and safeguard federal data with exchange partners. Those savings result from a centralized assessment process that eliminates redundancy in compliance activities and reporting. Furthermore, the anticipated drop in data breaches due to centralized management of the data will mean additional savings. Under the IDEP, only one onsite assessment of security controls implementation is needed for each target exchange partner. The assessment covers all requirements (disclosure, computer security, privacy, and PII) from all applicable federal agencies. It also produces a single, consolidated corrective-action report for the exchange partner to address. Compliance. Adopting the IDEP will promote a federated data-sharing environment that is interoperable, transparent, and compliant with appropriate NIST and OMB guidelines. This creates a widely acceptable, structured, and inherently flexible risk management framework consistent with the established level of risk tolerance set by the program mission stakeholder. In addition, managing risks in a comprehensive manner as a portfolio improves mitigation efforts, concentrates resources more appropriately, and helps managers in an increasingly complex IT environment. Increased Federal Data Security and Privacy: With the IDEP, the number of security breaches in federal data exchanges is likely to decline. Security and privacy are enhanced through the IDEP s continuous monitoring of operational risks, and risk-based prioritization of resource allocation. Standardization can be achieved by developing a common set of requirements and integrated schedules, using reporting and work-paper templates, and leveraging the knowledge and experience of a wide range of subject matter experts. Operational risk to federal data security and privacy is managed through methodological, continuous-monitoring activities (e.g., sample-based controls testing, periodic status report submission). Use of risk-prioritization models will direct more resources toward greater risk areas within federal agencies and their exchange partners. Increased Customer Satisfaction: Exchange partners will be able to leverage federal data exchange compliance activities and reports to 8

11 satisfy their own internal and external inspection requirements. They will no longer have to make multiple corrections to the same security issues that are identified by various federal agency assessments. By eliminating redundant reporting requirements and compliance activities, exchange partners may realize cost savings and reduce the manpower necessary to protect federal data. Coordination and Oversight: The IDEP can increase coordination between federal agencies by instituting an oversight committee with representation from all federal stakeholders, or by selecting a champion agency. This will result in knowledge sharing and proactive solutions to upcoming challenges in federal data exchange security and privacy. Booz Allen Offers Proven Performance Booz Allen has served as a catalyst in establishing and maintaining award-winning regulatory compliance programs that improve effectiveness and decrease the costs of compliance throughout the US federal government. In the process, Booz Allen has produced hundreds of deliverables. Internal Revenue Service Support Since 2001, Booz Allen has been working closely with the IRS Office of Safeguards in protecting Federal Taxpayer Information (FTI) shared with federal, state, and local agencies. We developed, deployed, executed, and maintain an effective computer and physical security evaluation framework which has enhanced security within state and local governments, and improved customer service to state and local agencies. Booz Allen has accomplished this through: Strong project management support NIST-based evaluation of IT systems covering a broad range of platforms (mainframes and Unix/ Windows servers) Technical Federal Information Security Management Act of 2002 (FISMA)-based training NIST compliance, communication plans, and continuous monitoring through periodic POA&M report submission System Security Plan (SSP)-like documents analysis for compliance with NIST and IRS requirements Expert advice on safeguarding requirements and key technical issues Strategic studies and white papers Program-wide risk management through agency risk profiling and self-assessment tools. Social Security Administration Support Booz Allen supported the SSA Deputy Commissioner of Budget, Finance, and Management (DCBFM) and the Deputy Commissioner for Systems (DCS) to perform a Data Exchange Risk Analysis and Vulnerability Assessment at four federal entities and six state governments. We used our risk assessment process to gather information and identify vulnerabilities in the data exchange process. We then assessed outside entities that had data exchange agreements in place to determine their current data access method, whether they maintained secure systems consistent with SSA s systems security policies, and whether any unauthorized use or inappropriate disclosures had occurred. We also validated how SSA information was used and viewed. Booz Allen conducted certification and compliance assessments; monitored outside entities approved for online and/or batch access to SSA information; and identified the risk and vulnerabilities of the formats in which data was electronically exchanged with outside entities. Department of Health and Human Services Support To mitigate risks resulting from an increase in cyber threats and to comply with federal legislation, HHS hired Booz Allen in June 2003 to develop an enterprise-wide IT security program. Booz Allen developed Secure One HHS to meet federal legislation and to increase the baseline HHS information security 9

12 and privacy posture across all HHS Operating Divisions (OPDIV), while reducing the reporting burdens of complying with federal mandates. Booz Allen continues to provide HHS with essential security and privacy services to: Enable the agency to maintain compliance with federal mandates Provide mission-critical services Maintain the public s trust and confidence in the quality of HHS services and business operations Booz Allen has supported the Chief Information Security Officer in leading the HIE workgroup to develop guidance for federal agencies in securing health data exchanged with private sector healthcare organizations. Workgroup support entailed all aspects of project planning; research; analysis; authoring guidance documents; and gathering input from privacy and security officers in all HHS OPDIVs, the US Department of Veteran Affairs, and the US Military Health System. the FISMA implementation guidance are consistent in content, technical accuracy, and cohesiveness. Booz Allen recently participated as a key member of the NIST A Assessment Case Project, which was an interagency workgroup consisting of NIST; the departments of Justice, Energy, and Transportation; and the intelligence community. The workgroup developed exemplary assessment cases that serve as recommended, comprehensive guidance to assist organizations and assessors representing those organizations in developing controls assessment plans to augment the high-level assessment procedures found in SP A. We have also been involved in collaborative workgroup sessions to develop , Revision 3; the risk management framework; and the new program-level management controls. National Institute of Standards and Technology Support Booz Allen has an ongoing partnership with NIST to develop high-quality, time-sensitive, and accurate information security guidance publications and materials that reflect the requirements of the latest US Federal Information Security Management Act (FISMA) laws and regulations. As such, we are an integral member of the FISMA Implementation Project. Active participation in the development of Federal Information Processing Standard (FIPS) 199, SP , SP , SP , SP , and SP A provides Booz Allen with unique insight and institutional knowledge in the practical application of NIST standards and guidance to ensure FISMA compliance mandates are achieved for federal agency clients. Booz Allen also serves as trusted advisor, and is a key member, of the quality assurance team that actively participates in the quality-control review processes to ensure FIPS and SP publications under 10

13 11

14 About the Authors Gregory J. Brill is a Principal on the Booz Allen Assurance and Resilience team who leads the certification and compliance business at Booz Allen. Mr. Brill has established and modernized the IRS Data Exchange Program (Safeguards) since In addition, he has also implemented an agency-wide Certification and Accreditation (C&A) program for the IRS, to safeguard sensitive but unclassified data in accordance with the Internal Revenue Code. Mr. Brill has experience leading large audit teams in support of the Government Accountability Office (GAO) and Inspector General financial statement audits. Khurram Chaudry is a Senior Associate on Booz Allen s Assurance and Resilience team, with 10 years of professional experience in information assurance. He played a key role in modernizing the IRS Data Exchange Program (Safeguards) and helping the IRS meet its C&A goals for FISMA compliance. Mr. Chaudry has spoken at the Federal Tax Administration (FTA) on the issue of safeguarding federal tax information when sharing with external entities. Acknowledgements. We would like to also recognize the following Booz Allen staff for their invaluable input: Eric Hodge, Alice Goguen, Laurie Graffo, and Kimberly Figel. Contact Information: Greg Brill Khurram Chaudry Principal Senior Associate 703/ / brill_gregory@bah.com chaudry_khurram@bah.com 12

15 About Booz Allen Booz Allen Hamilton has been at the forefront of strategy and technology consulting for 95 years. Every day, government agencies, institutions, corporations, and infrastructure organizations rely on the firm s expertise and objectivity, and on the combined capabilities and dedication of our exceptional people to find solutions and seize opportunities. We combine a consultant s unique problem-solving orientation with deep technical knowledge and strong execution to help clients achieve success in their most critical missions. Providing a broad range of services in strategy, operations, organization and change, information technology, systems engineering, and program management, Booz Allen is committed to delivering results that endure. With 20,000 people and $4 billion in annual revenue, Booz Allen is continually recognized for its quality work and corporate culture. In 2009, for the fifth consecutive year, Fortune magazine named Booz Allen one of The 100 Best Companies to Work For, and Working Mother magazine has ranked the firm among its 100 Best Companies for Working Mothers annually since To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit 13

16 Principal Offices ALABAMA Huntsville CALIFORNIA Los Angeles San Diego San Francisco COLORADO Colorado Springs Denver FLORIDA Pensacola Sarasota Tampa GEORGIA Atlanta HAWAII Honolulu ILLINOIS O Fallon KANSAS Leavenworth MARYLAND Aberdeen Annapolis Junction Lexington Park Linthicum Rockville MICHIGAN Troy NEBRASKA Omaha NEW JERSEY Eatontown NEW YORK Rome OHIO Dayton PENNSYLVANIA Philadelphia SOUTH CAROLINA Charleston TEXAS Houston San Antonio VIRGINIA Arlington Chantilly Falls Church Herndon McLean Norfolk Stafford WASHINGTON, DC The most complete, recent list of offices and their addresses and telephone numbers can be found on by clicking the Offices link under About Booz Allen Booz Allen Hamilton Inc. BA9-128 IFDE WP