Colin Whitlatch admits the construction phase remains the most vulnerable period in any asset’s lifetime. That’s where the FedRAMP program fits in.
FedRAMP, a federal government program, delivers best-practice security protocols implemented by cloud services providers on federal government projects. Whitlatch, chief technology officer of Kahua, a cloud-based project management information system, said the company recently achieved the FedRAMP-Moderate designation.
Whitlatch added that other vendors that do not hold this authorization will soon not be allowed to host project data for federal agencies. For example, late last year Arizona released its first request for proposals that tasked vendors with StateRAMP compliance.
Texas has also been moving forward with its own version, according to the Texas Department of Information Resources. Those requirements apply to all state agencies, institutions of higher education and public community colleges.
Construction Dive connected with Whitlatch to discuss the FedRAMP program, the process of achieving designations and cybersecurity in the construction industry.
Editor’s note: This interview has been edited for clarity and brevity.
CONSTRUCTION DIVE: How vulnerable is the construction industry?
COLIN WHITLATCH: I’m familiar with the attack vector and what comes through. Once you get involved with the FedRAMP program, they start notifying you of everything that’s out there.
The top targets have been more construction related, or they're infrastructure related. That could apply to things like the power grid. So, infrastructure related and definitely on the construction side. Again, from the government's perspective, there's a ton of risk of what people could pull out of systems such as ours.
What people are after is a lot of schematics because that matters: buildings schematics and CAD drawings. Those are actually something that people can use in ways that, unfortunately, are pretty devastating. Once you know how a building is constructed or the layout of it, you can get through it and a bad actor can take advantage of that. So, yes the attacks are increasing.
What is FedRAMP and how does that help Kahua safeguard its clients?
FedRAMP is a federal program broken down into different levels based upon the sensitivity of the data. The controls you adhere to are all toward making your system safe by default. You'll see that from the device level, things like your router, if something is compromised, it's just going to stop performing whatever its duties are. The system stops, no network traffic. That's the easy version there on the hardware side.
Then there's the software. If there's a security issue or something stops functioning or a system is not doing what it is supposed to, it's just going to stop processing. It starts there with FedRAMP. Things are running against the compiled code, but before it gets pushed out, what's more important or equally important, is analysis. We run our dynamic applications scans, and we attempt to just break in from every single angle. To sum that all up, we do continuous monitoring and evaluation. We're constantly reading those dynamic scans. We're using the various tools that are out there for compliance auditing scans.
What was that four-year process like to achieve the FedRAMP-Moderate designation?
It's broken up into phases. You start with the advisement phase. You're going through advisement to make sure you're going to be compatible with what the controls are, how to design the system and how to build it out so that once you get to assessment, you're able to properly be assessed and authorized.
That took three and a half years, primarily because we worked from the ground up just to make sure that everything was covered. We're not stopping at FedRAMP-Moderate, there are other levels and that's what we're building towards.
Once authorized, you are able to do the work with any government agency. There’s a lot of continuous monitoring that’s part of the program itself. There’s reports you need to build out and you have to look for vulnerabilities in your system. It’s a live, living, breathing thing.
Are there any updates on whether states will make FedRAMP a requirement?
That is something that comes through. FedRAMP is a federal level program, so at the state level it’s going to come through as a state level program.
But we are seeing now more and more state governments saying, “the FedRAMP system is what we would like to see.” They are coming. States are saying because FedRAMP is a federal authorized program, then that covers everything we would like to see from a security standpoint. I will say that it is very important that FedRAMP level controls are in place for any state or local level government.
Are there any other trends you think are important to mention?
Security never stops. Attacks are increasing, those won’t stop. And then the level of sophistication is just going to increase. So, it’s something you always have to be wary of or at least guard against.
FedRAMP will alert you to patterns in the industry. One thing you do with FedRAMP is you have the yearly reassessment. You’re going to go back into your controls to make sure something didn’t happen. We are very pleased with what the government provides, and that’s invaluable. Having an active dialogue with the parties involved just makes for a better system.
And again, we follow all the industry patterns. Other things happen, like [the breach of] SolarWinds, which we’re not vulnerable to, but SolarWinds gets used in quite a few installations. Not ours, but others that are out there, and that’s how some attacks are happening recently.