“It’s not just about child welfare. That’s our main focus, but we’re also going to share other innovative aspects. We’re trying to get at all the different things that make this project interesting and share them out as innovations and ideas to the rest of the state,” said Project Director Tony Fortenberry.
Monday’s speaker, Greg Elin, the previous chief data officer at the Federal Communications Commission, has since founded GovReady. GovReady is an open source project for developers and coders who want to integrate federal information security management and compliance into project development.
Elin saw security “compliance as a bottleneck for innovation.”
“I came to regard the compliance process as the primary constraint on how fast I was able to do my job and how fast the agency was able to move overall,” Elin said.
Elin’s effort to make “data an asset for daily use” was part of the goal to make compliance easier and more automated by building “compliance into the supply chain and the building process.”
“If compliance is happening at the end, like quality assurance, it's too late,” Elin said.
The current compliance process, outlined by the National Institute of Standards and Technology 800-53 document, is a waterfall process in which agencies can choose which controls to use. This system can take up to 15 months to put in place.
Without automated compliance and trustworthy standards, federal or state programs won’t be able to scale to local jurisdictions or be useable in the era of the Internet of Things, Elin said.
Elin’s suggestions for improving compliance include:
- Making compliance into code
- Making security into another set of tests
- Understanding which components satisfy which controls
- Borrowing from systems that already comply, such as AWS
- Maintaining records of test results through the development process
