Cybersecurity and Federal Project Management
In the world of cybersecurity, confidentiality, integrity, and availability form the mantra of every security specialist. These three factors ensure that the data in every information system are kept within the confines of the organization. They ensure that the retrievable data is the same data that was placed in the system and that it is accessible by every authorized individual.
Data is essential in project management and systems engineering to establish baselines, determine work schedules, and communicate with stakeholders and project teams. Most communication is done by email, which has its own unique set of vulnerabilities.
The most substantial vulnerabilities of big data are volume, variety, and velocity. None stands out more than the other. The foundation of making data stronger begins with the ease with which someone can access, change, or use it. For instance, a project manager who stores project data in the cloud may give each project file and folder a unique name. Despite the effort to structure the data, there is a danger that any other project manager with access to the cloud could inadvertently change or delete these folders or files.
How can you secure your data? The National Institute of Standards and Technology (NIST) has an entire set of policies and procedures for big data detailed in the NIST Big Data Interoperability Framework (NBDIF): Volume 4, Security and Privacy. This guidance was provided by the Big Data Working Group (BDWG), a group of federal government and private industry experts the BDWG in 2013 to determine the very nature of big data; to examine how it would affect government and private industry, and to help shape policies, frameworks, and applications.
The importance of project management documentation is clear when reviewing the NBDIF directives for eliminating data vulnerabilities in public service environments. Mitigating vulnerabilities in the project data repository (i.e., charters, management documents, registers, and communication plans with email addresses and phone numbers) should be mandatory for every project. For example, if a project is medical and there are medical devices involved in the data scheme, security for those devices will be required to secure that part of the data function. And, because the vulnerabilities of big data can be numerous, it is vital that project managers become familiar with the NBDIF to understand and execute data protection measures effectively.
In recent years, some of the most complex challenges cybersecurity professionals have faced involve the interoperability, data security, reliability, and performance management of cloud computing. As of FY 2022, contracting personnel assigned to digital services acquisitions over $7 million or $13 million for acquisitions described in FAR Part 13.500(c) are now required to obtain their Federal Acquisition Certification in Contracting Core-Plus Specialization in Digital Services (FAC-C-DS) before assignment. FAC-C-DS candidates must already be FAC-C Level II or III certified before completing a six-month comprehensive cohort-based Digital IT Acquisition Professional (DITAP) program. This specialized digital service acquisition training should significantly mitigate digital service risks that may otherwise arise at the project level. In addition, Management Concepts offers several courses that support IT project management.
What can project managers do to protect data?
- Limit access to project data to only the people who need that data
- Ensure that every user has an administrator-governed login and that every system entrance and exit is recorded
- Create backup copies of all project documents and store them separately from the originals.
- Establish a standard for the storage and retrieval of all documents (NIST refers to this as “Ethical Design” in the NBDIF and provides standards related to storing, accessing, editing, and retrieving the data)
Project management is difficult enough without having to worry about data security. The guidance provided by NIST provides project managers — and everyone who relies on data — with an excellent, thorough standard upon which we all should rely.
Chris Greco, MS, PMP, PMI-ACP, CISSP, CSA+, CTT+, ASEP, is an instructor and subject matter expert for Management Concepts and the owner of GRECTECH. With decades of experience, Chris enjoys teaching data analytics, project management, and systems engineering courses and contributing to curriculum development. Chris holds a Bachelor of Arts degree in sociology from Grove City College, a Master of Science degree in management science from Troy University, and a graduate certificate in applied statistics from Penn State University.