> Anyone think they approved the security of that subcontractor before giving sensitive information to them?
They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict requirement for every company contracting with a government agency. IMO it's one of the rare situations where, at least conceptually, the federal government has done something right in terms of security.
Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth or effectiveness is a different topic entirely.
If Fedramp is like other security certifications, written policies can be used in lieu of actual enforcement.
A policy could be something like:
"Vendor shall not move sensitive data out of CBP's secure network"
So it's pretty much on the honor system. And some new employee at the vendor may not even be aware of all of the policies they are supposed to be following. The vendor is still reponsible for that employees actions, but it can be discovered too late (as in this case, the breach was already made)
But instead of just a written policy (among dozens or hundreds of others) that people are expected to abide by, this could be enforced by limiting the vendor's access to the network. For example, by counting how many records they access, how many bytes of data they download over their connection to the secure network, or not giving them direct access at all and exposing only an API controlled be CBP that gives them access to only the data they require)..
A policy could be something like:
"Vendor shall not move sensitive data out of CBP's secure network"
So it's pretty much on the honor system. And some new employee at the vendor may not even be aware of all of the policies they are supposed to be following. The vendor is still reponsible for that employees actions, but it can be discovered too late (as in this case, the breach was already made)
But instead of just a written policy (among dozens or hundreds of others) that people are expected to abide by, this could be enforced by limiting the vendor's access to the network. For example, by counting how many records they access, how many bytes of data they download over their connection to the secure network, or not giving them direct access at all and exposing only an API controlled be CBP that gives them access to only the data they require)..