Reasonable and Responsible Information System Security Assessments

[bscarpelli]

In the context of demonstrating/attesting to adequate levels of security before entering an arrangement with the government, TIA believes that audit and inspection rights should be limited to reviewing documents demonstrating that a certification or attestation has been made on the front end by the vendor or a third party. Direct inspection of physical facilities, databases, IT systems, and devices by the government is not appropriate.

Heightened complexity occurs where the government is using a shared, multi-tenant cloud environment, whether other tenants may have sensitive data or trade secrets and object to government officials being able to inspect the hardware holding that data.

As another example in the post-incident context, in an incident response and sanitization exercise, if a government official happens to misuse a shared multi-tenant cloud service (e.g., by inserting controlled or even classified information) other tenants will object to the government seizing or analyzing physical hardware for sanitization purposes. Per discussion above, in this scenario, the right to physical inspection is again not reasonable.

TIA urges OMB to limit audit and inspection rights in this section’s context to reviewing documents demonstrating that a certification or attestation has been made on the front end by the vendor or a third party, and not to include direct inspection of physical facilities.