One of Federal agencies’ primary challenges is ensuring that they are properly managing and securing sensitive data, particularly controlled unclassified information (CUI). Even though CUI is unclassified, it requires special handling and safeguarding. The Defense Counterintelligence and Security Agency notes that loss of aggregated CUI is one of the most significant risks to national security.
In a recent MeriTV interview, Keith Brooks of Amazon Web Services (AWS) and Valerie Singer of Splunk sat down with MeriTalk’s Caroline Boyd to talk about CUI and how agencies can best utilize cloud systems with Defense Department Impact Level 5 (IL5) authorization to manage this class of data securely.
Brooks, director of go-to-market for the government region at AWS, observed that to successfully manage CUI, “Federal agencies must ensure that their internal systems, as well as any systems and applications and tools that are provided by third-party vendors or contractors that store and process CUI data, are properly secured to handle that data.” To do this, IT personnel must understand system boundaries, access, data flows, and information custody.
Other challenges with managing CUI include lengthy timeframes for IT procurement and to gain authority to operate cloud systems, as well as large infrastructure requirements, noted Singer, vice president of go-to-market cloud initiatives and strategy at Splunk.
As they work to protect CUI, “I do see agencies really diving deep to understand their data and their system boundaries,” Brooks said. “I can’t stress just how important those things are … to understanding the scope of compliance, particularly with IL5 data.”
DoD-operated clouds and cloud service providers that host higher-sensitivity CUI, mission-critical information, and national security systems information must achieve IL5 authorization. IL5 has an additional set of controls beyond IL4 that deal with the ability to run and assess data and systems in the cloud, Brooks noted.
Utilizing cloud service providers with IL5 authorization to manage CUI can free agency IT team members from system maintenance and patching and ensure their infrastructure is up to date – overcoming many of the personnel and infrastructure challenges that agencies face. “At the hands of secure providers like AWS and software providers like Splunk … the government doesn’t have to do that themselves,” Singer pointed out.
Prioritizing “the solutions and the cloud platforms that address the totality of an organization’s high compliance needs, including things like DoD Impact Level 5 and even FedRAMP High … allows organizations to innovate securely,” Brooks added.
AWS and Splunk have come together to meet those needs, he observed. “As agencies and leading solutions providers turn to solutions like Splunk to index and search and visualize, analyze, and secure their data, they want the capabilities in a cloud environment that meets their high compliance bar,” Brooks said. “Splunk has numerous solutions available on AWS … where our customers turn for their most sensitive and regulated data and workloads to include those that have CUI data.”
To prepare for using a platform with IL5 authorization, Singer recommended that agencies create a visible infrastructure that is accessible, understandable, linked, trustworthy, interoperable, and secure.
“By doing so, they can create platforms upon which they can take in the most innovative and most modern of technology to help them to become more secure,” she said. “They can create the inroads … for talent to … support those environments, and they can have those environments be maintained for much longer periods of time.”
Watch the complete interview.