FEMA working to clarify cyber controls

Only then can the agency use automation for compliance, according to its CTO.
(Getty Images)

The Federal Emergency Management Agency’s IT shop is working with others across the Department of Homeland Security to clarify cybersecurity controls so processes can be automated across the department.

By working with other DHS IT organizations, FEMA can get on the same page and automate its compliance,  said Ted Okadachief technology officer at FEMA.

However, compliance with data and privacy controls coming out of agencies like the National Institute of Standards and Technology is challenging because they haven’t kept pace with developments in cloud computing and DevSecOps.

While emerging NIST standards like the Open Security Controls Assessment Language (OSCAL) are diving deeper into Cabinet-level departments’ approaches to compliance, outdated controls remain.


“The common controls in the existing paradigm of client-server, hub-and-spoke computing, which are still with us even with cloud computing, those controls are fast becoming antiquated,” Okada said during an ATARC event Tuesday.

One such control asks whether organizations have a fire extinguisher, and no one would ever ask Microsoft Azure or Amazon Web Services that, he added.

At the same time that FEMA is establishing better cyber metrics, it’s developing application programming interfaces (APIs) that communicate with authorizing engines to generate system security plans and standardize them in open, text-based language for automation.

That way FEMA can store data and compute at the edge, closer to the source of the data, while adopting a zero-trust security posture that assumes breach, Okada said.

Latest Podcasts