Federal agencies face a variety of sophisticated cybersecurity threats from enemies with advanced tools at their disposal, such as nation-states and organized cybercriminals. 

The magnitude of these threats demands that agencies take a proactive and strategic approach to protecting systems and data. Rather than simply building controls and assuming that they will be sufficient to repel attackers, agencies must move away from a purely preventive approach and toward one that assumes that some attacks will be successful. This strategy involves shifting resources to cybersecurity incident detection and response strategies designed to identify potential intrusions and react to them promptly in an effort to contain the damage and quickly restore secure operations. 

Agencies seeking guidance on cybersecurity strategy have a variety of resources at their disposal. While all these resources are useful, some may be mandatory depending on the nature of the agency’s activities and its position within the federal government. Agency technology leaders and cybersecurity professionals should familiarize themselves with the wide array of federal guidance on the issue and consider the many strategic resources available to them as they prioritize and evaluate risks and implement security controls.

The National Institute of Standards and Technology is a major provider of cybersecurity resources to federal agencies. In fact, NIST guidance is so widely respected that it is frequently cited and adopted in the private sector as well. The cornerstone of this work is the NIST Risk Management Framework, which provides a model for integrating cybersecurity activities into the routine management activities of federal agencies. The document provides a high-level framework for these activities while referencing other NIST special publications that provide additional implementation details. NIST also offers valuable guidance in Special Publication 800-53, a catalog of security and privacy controls that agencies can implement to protect their systems.

The NIST Risk Management Framework includes seven core steps that agencies may use to implement their own cybersecurity risk management programs: 

• Prepare the risk management process.
• Categorize systems and the information that they store, process and transmit based on an impact analysis.
• Select security controls appropriate to the system’s categorization.
• Implement those controls and document their deployment.
• Assess the effectiveness of those controls.
• Authorize system operation when risk is acceptable.
• Monitor controls on an ongoing basis.

While the framework applies to all federal agencies, many larger agencies issue additional guidance designed to meet their mission-specific cybersecurity requirements. For example, the Department of Defense issues detailed Secure Technical Implementation Guides (STIGs) that provide detailed requirements for the secure configuration of specific technologies. The DOD issues STIGs covering operating systems, applications, security solutions and other technology platforms. The Defense Information Systems Agency also certifies the cybersecurity status of commercial products and publishes an approved products list for its customers. The U.S. Army operates the Army Networthiness Program, which issues certifications to vendors seeking to provide products for use on Army networks. All these different standards and requirements introduce new control obligations that military cybersecurity and technology leaders must understand.

Federal agencies also must comply with standards designed to combat the insider threat. Executive Order 13587, issued by President Barack Obama in 2011, requires that agencies operating classified systems implement an insider threat detection and prevention program. It also established an interagency National Insider Threat Task Force charged with coordinating a governmentwide response to the insider threat.

The NITTF developed an Insider Threat Program Maturity Framework (PDF) designed to assist agencies in assessing the effectiveness of their own insider threat programs using six categories of insider threat control mechanisms:

1. Senior Official/Insider Threat Program Leadership
2. Program Personnel
3. Employee Training and Awareness
4. Access to Information
5. Monitoring User Activity
6. Information Integration, Analysis and Response

Each category in the maturity framework consists of specific maturity elements (MEs) that provide additional detail. For example, the Monitoring User Activity category contains three MEs:

• ME11: Establish user activity monitoring on all U.S. government endpoints/devices and government-owned IT resources connected to government computer networks accessible by cleared personnel.
• ME12: Ensure UAM requirements are incorporated into IT planning, design and accreditation processes.
• ME13: Establish capability to monitor the activity and conduct independent audits of Insider Threat Program personnel with access to insider threat information and tools.

Agencies will find the maturity framework a useful guide as they work to assess the effectiveness of their own insider threat controls.