Outdated FOIA Software: An Open Door For Cyber Attacks
Cyber-security is a hot topic in federal, state and local government agencies. The year 2019 will be remembered as the cyber-security horror year. With hundreds of security breaches that resulted in significant costs to repair the damage, cyber-security is not just an abstract concept anymore, even for municipal and local government agencies.
Because of resource limitations, cyber-attacks are especially threatening for government agencies. Budget restraints are limiting their ability to train their staff for social hacking, but even more importantly, these agencies find it costly to modernize their software solutions. Outdated software is the second most common reason for security breaches. Outdated FOIA management software is a perfect example. It’s used by the public and usually integrated with document management systems, making it an easy target for hackers. It’s used by multiple government employees, making it easy target for social hacking.
Basic statistics of most recent cyber-attacks
Based on the 2018 report of the White House’s Office of Management and Budget (OMB) – from 96 investigated agencies – only 25 were declared safe and implementing proper tools, policies and modern FOIA software. The majority, 59 of them, were declared at risk, and 12 were at a high level of risk.
Even without formal reports, in 2019 we witnessed hundreds of ransomware attacks on government agencies and private enterprises. These attacks were predominantly related to personally identifiable information stored on government and enterprise systems. In total, 966 institutions fell victim to the ransomware attacks:
- 764 of these breaches affected healthcare systems
- 113 breaches affected government agency systems
- 89 attacks affected educational institutions systems
Wherever there are large quantities of personally identifiable information, there will be a constant interest in penetrating these systems and stealing data.
Looking at the numbers, it seems that ransomware attacks were quite successful in institutions where there are freely accessible form-submission URLs, and there are large amounts of personal data stored at the backend.
The problem seems to be in these agency’s limited interest in cyber security best practices. As the Mississippi Office of State Auditor bluntly puts it, “according to survey results published in a report from the Office of State Auditor Shad White, many state entities are operating like state and federal cyber security laws do not apply to them.”
One way to address the cyber-security issue is to use software from trusted vendors that follow strict regulations and best security practices. Another strategy is using trusted technology integrators who will also train the agency staff to recognize and repel social hacking attempts.
Why ArkCase FOIA is Positioned to Fix Security Requirements
Armedia has been a solutions provider for government and enterprises for almost 20 years. During this time, we have had the opportunity to work with different agencies and provide various solutions using technology providers like Microsoft, Amazon, Alfresco, Ephesoft and OpenText.
While working on modernizing FOIA solutions for government agencies, we’ve found that using open-source software solutions can be a great strategy to get a cost-effective solution that is compliant with government regulations. ArkCase is a comprehensive platform providing case management that we’ve been using for FOIA solutions; it includes a strong set of out-of-the-box capabilities as described below.
Veracode Code Quality
Veracode verification is one of the certifications that software providers need to fulfil to be a good match for government agency needs. Most agencies understand that code security is quite important in decision-making. According to Veracode’s reports, 84% of decision makers are concerned with the security threats that may come with third-party applications. While functionality and cost of a software are important, code security should figure prominently in a Request for Proposal (RFP).
Veracode offers several tiers of code certification. Tier 1 is their standard code verification. Software products that fulfill this tier offer the needed security requirements at a reasonable price.
ArkCase holds the Veracode Standard Verification, which certifies that ArkCase followed proper development procedures to ensure a stable, secure platform for FOIA request processing.
When government agencies update their software with a newer, cloud-based solution, they need to follow certain best practices. The FedRAMP Product Provider certification ensures that software solutions comply with those best practices.
With cloud-based solutions, the platform provider plays a key role in how safe the software is, and how safe its data is. Amazon Web Services (AWS) as a Platform as a Service (PaaS) provider is FedRAMP compliant. This means that software providers using AWS as a PaaS can offer secure and scalable servers to run and store their data.
By using AWS, ArkCase meets the FedRAMP Moderate requirements.
DoD 5015.02 Compliance
The Department of Defense Design Criteria Standard for Electronic Records Management Software Applications, also known as the DoD 5015.02 Standard, defines the parameters of development for secure records management solutions. While this regulation was first defined for military use, since its publication back in 2002, it has become the standard even for non-defense records management applications.
Moderate compliance to the DoD 5015.02 standard is enough for most government agencies. There are more providers that offer moderate compliance. Alfresco is one of those providers. (We’ve covered the DoD Compliance in more detail in a previous blog post “Why Government Agencies Should Care About DoD 5015 Compliant Software.”)
You can learn more about the ArkCase FOIA solution and locate demos and sign up for webinars at the ArkCase website.
The Strong Case for ArkCase FOIA
By using ArkCase FOIA as a modern, cost-effective solution, government agencies can quickly and easily improve security.
ArkCase FOIA comes with hardened security thanks to the technologies used and the Veracode-certified development workflows. Thanks to strategic partnerships with trusted technology providers, ArkCase is also FedRAMP and DoD 5015 compliant.
The Added Benefit of Choosing Armedia as a Solutions Integration Partner
The National Association of State Procurement Officials (NASPO) is an organization that helps state government agencies make informed decisions and pick vendors and service providers that are verified by a reliable source.
Armedia is a NASPO ValuePoint solutions provider since early 2019. With close to 20 years of field experience, Armedia has been a solutions integrator for government agencies and blue-chip companies worldwide.
By choosing Armedia as a solutions integrator for your FOIA software needs, you leverage the experience and innovation that our team brings to the FOIA software industry. When we deploy a FOIA solution, we make sure that everyone who uses the software is well-trained to use it securely. Our security experts emphasize best practices to ward off social hacking.
For government agencies struggling with cybersecurity, there’s never been a scarier time than today. 2019 saw numerous security breaches that caused enormous material damage, and a loss of confidence of the general population in government agencies. But it has never been easier to mitigate those security holes. With ArkCase FOIA and Armedia as a solutions integrator, government agencies can quickly and cost-effectively gain full compliance with DoD 5015, FedRAMP, Veracode, and NASPO.
If you are looking for a cost-effective reliable way to solve your organization’s security concerns by updating your FOIA software, we’d love to hear from you in the Comments section below.
Or, if you prefer, feel free to reach out to us. We’d love to have a quick phone call to discuss the subject in more detail.