April 25, 2023
How Federal Agencies Can Boost Security Against Threats
Effective approaches such as zero trust can help government IT teams protect data from compromise.
IN THIS ARTICLE
Key Solutions for Federal Cybersecurity
Services to Support Federal Cybersecurity
Strategies and Outcomes for Federal Cybersecurity
The Federal Cybersecurity Challenge
Much like organizations in the private sector, federal agencies are fending off cyberthreats from all angles: ransomware, credential theft, web application attacks, phishing, spoofing and more. But these agencies also must grapple with numerous challenges unique to government. Among the most vexing: the prospect of attacks from hostile nation-states; the budget constraints of the public sector; the need to comply with government mandates such as the 2021 Executive Order on Improving the Nation’s Cybersecurity; and keeping critical systems available to protect information and systems that may have a direct impact on national security.
“Both state and non-state cyber actors threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy,” warns the Office of the Director of National Intelligence in its 2022 report on the U.S. Intelligence Community’s threat assessment. “Transnational cybercriminals are increasing the number, scale and sophistication of ransomware attacks, fueling a virtual ecosystem that threatens to cause greater disruptions of critical services worldwide.”
The report specifically calls out the threat of cyberattacks from the governments of China, Russia, North Korea and Iran.
Despite the clear risks of cyberattacks, federal agencies often struggle to address cybersecurity concerns as comprehensively as leaders would like. The Government Accountability Office has made more than 4,000 recommendations to federal agencies to address cybersecurity shortcomings, but nearly 900 of these had not been fully implemented as of December 2022. The GAO has designated 134 of these measures as “priority” recommendations, meaning that they warrant heightened attention from heads of key departments and agencies. “Until these shortcomings are addressed … IT systems will be increasingly susceptible to cyberthreats,” GAO notes.
Funding plays a large role in this gap. According to a MeriTalk report, only 14 percent of federal cybersecurity decision-makers say they have all the funding needed to meet the requirements of the 2021 cybersecurity executive order. The agencies that are having the greatest success meeting the order’s requirements are those without funding gaps, those where leaders meet at least once a month to review progress on the requirements and those whose zero-trust efforts are led by their CIO, MeriTalk reports.
To overcome cybersecurity challenges and protect their environments, agencies must adopt solutions, services and strategies that can adapt to evolving threats and technologies.
Federal Cybersecurity Pain Points
Agencies face unique obstacles as they work toward their missions. Many of these issues have evolved in recent years, posing major security challenges.
The prevalence of work from home has made it more challenging to protect federal IT systems. Agencies are combatting this risk by taking steps to better understand human behavior.
Agencies that place resources in public cloud environments must ensure they have visibility into and control over their data, no matter where it resides.
High-profile incidents of domestic espionage garner the biggest headlines, but agencies must also protect their environments against user negligence.
Federal Cybersecurity: By the Numbers
The percentage of federal cybersecurity leaders who say that mounting to-do lists and fears of suffering the “next headline-grabbing breach” keep them up at night1
The percentage of federal IT and cybersecurity practitioners who say their agency has suffered a cybersecurity incident that resulted in a significant disruption to IT and the agency’s processes in the past several years2
The percentage of federal cybersecurity leaders who say their agencies are focused on implementing or expanding endpoint detection and response capabilities1
The percentage of federal IT and cybersecurity practitioners who cite phishing and social engineering attacks as a top cyber risk, more than any other attack type2
Sources: 1MeriTalk, “The Push and Pull of Federal Cybersecurity,” January 2022; 2Ponemon Institute, “Cybersecurity Risks in the Federal Government,” June 2021
No single tool or set of solutions can ensure that agencies are able to meet their compliance requirements, secure their environments and implement a zero-trust architecture. Strong governance policies and effective training programs are also essential for ensuring that agencies keep their IT environments safe and meet government security mandates. However, the following technologies are critical components of a comprehensive cybersecurity strategy, and they can help agencies comply with federal guidance on zero trust.
IDENTITY AND ACCESS MANAGEMENT
The disappearance of the physical cybersecurity perimeter has increased the importance of IAM tools. Tools such as multifactor authentication and user behavior analytics can help cybersecurity professionals ensure that only authorized users are able to access sensitive systems.
Agencies need best-in-class data protection tools to safeguard their data stores. These include least-privilege access controls, end-to-end encryption and event logging. Solutions that can track and classify the movement of data, such as data loss prevention tools, are also important as agencies work to prevent a data breach.
Devices must be protected throughout their lifecycle, from before they connect to an agency’s network until their retirement. Agencies must adopt configuration management tools, asset management solutions and endpoint detection and response tools that are capable of detecting and responding to malware.
Protecting the network is at the core of zero trust (and cybersecurity in general). Network segmentation, as well as solutions such as machine learning–based threat protection and Infrastructure as Code security, can help agencies to detect attacks and stop them from spreading across network connections throughout the organization.
Agencies must protect applications and workloads, including not only their own systems but also commercial applications and cloud software. In addition to securing and managing the application layer itself, agencies should implement solutions to secure containers, which handle valuable government data and provide secure application delivery.
VISIBILITY AND ANALYTICS
Network visibility and analytics solutions give agencies the information they need to ensure that their environments meet the criteria for zero-trust architecture. This is a broad category that includes device visibility, threat intelligence, security information and event management (SIEM), and continuous diagnostics and mitigation systems.
ORCHESTRATION AND AUTOMATION
Advanced solutions can automate security and network operational processes across a zero-trust architecture by orchestrating functions among security systems. Orchestration and automation tools include solutions that administer, enforce and manage security policies to enable effective governance of agency data.
BACKUP AND RECOVERY
There’s no such thing as a completely secure IT environment. Agencies need solutions and processes to recover quickly after an attack, including air-gapped backups and secondary communication tools. These tools can help agencies recover quickly in the event of a compromise and are especially important for mitigating ransomware attacks.
CDW can help your agency deploy effective tools and policies to keep government data safe.
5 Pillars of Zero-Trust Maturity
The Cybersecurity and Infrastructure Security Agency (CISA) identifies these five pillars in its Zero Trust Maturity Model:
IDENTITY: In an optimal zero-trust environment, an agency will continuously validate the identity of users rather than validating only when access is initially granted.
DEVICE: Agencies should inventory and secure all devices and prevent unauthorized devices from accessing resources. Device security should be applied to any hardware asset that can connect to a network.
NETOWRK: Agencies should implement a number of network security best practices, including network segmentation, threat protection, encryption, visibility, and automation and orchestration.
APPLICATION WORKLOAD: In an optimal zero-trust environment, an agency will integrate application security testing throughout development and deployment processes, with regular, ongoing application testing.
DATA: Agencies should encrypt data at rest, continuously inventory data with robust tagging and tracking, log and analyze all access events for suspicious behaviors and automatically enforce data protections.
The demand for IT professionals — and especially those with cybersecurity expertise — is extremely high, creating a talent shortage for many federal agencies. To close this gap, agencies often engage with trusted third-party partners for as-a-service IT delivery. Certain requirements, such as compliance with the Federal Risk and Authorization Management Program, or FedRAMP, may restrict which types of services agencies can use.
An outside set of eyes — whether in the form of zero-trust maturity assessments, penetration testing or web application testing — can provide valuable, objective information that helps agencies identify and shore up gaps in their attack surface. These engagements can also help to jump-start emerging initiatives. For instance, leaders are sometimes unsure where to start with their efforts to implement zero-trust requirements. During a thorough zero-trust maturity assessment, a partner will evaluate the agency’s existing tools and practices and help it come up with a plan for what to prioritize first.
Services such as identity, credential and access management and privileged access management can help agencies reduce risk by ensuring that only authorized users can access sensitive systems and data. According to the National Institute of Standards and Technology, the need for ICAM is driven by increased use of cloud software, a dramatic rise in the number of credentials managed by agencies and the continued need for information sharing. For agencies whose staff lack the time or experience to implement ICAM and PAM solutions, managed services can limit the number of users with access to administrative functions.
A robust cybersecurity posture depends on several critical infrastructure components, including firewalls, SIEM solutions, and network and behavioral analytics tools. However, these tools are only as effective as the people who implement and manage them. Depending on their internal capacity, IT leaders may lean on partners for help configuring, managing and monitoring these solutions to best meet the needs of an agency over time. For instance, monitoring tools frequently need to be adjusted so they do not produce an excessive number of false alarms, which can lead to alert fatigue.
Employee training and staff augmentation services help organizations across industries to meet their cybersecurity goals and enhance their security posture. However, third parties that serve federal agencies must meet additional requirements beyond what they may face in the private sector. All training, of course, needs to be tailored to the goals and compliance considerations of federal agencies. Also, service providers offering staff augmentation must be able to accommodate security clearances before they are able to help agencies manage large-scale projects and complex programs.
According to federal cybersecurity decision-makers, the 2021 Executive Order on Improving the Nation’s Cybersecurity had widespread effects after its first year:
The percentage of federal cybersecurity decision-makers who say the executive order has increased cybersecurity prioritization among IT management and staff
The percentage who say it has increased the amount of cybersecurity data collected by their agency
The percentage who say it has expedited the implementation of cybersecurity best practices
Source: MeriTalk, “Impact Assessment: Cyber EO Year One,” May 2022
The percentage of federal cybersecurity decision-makers who say the executive order has added time-consuming proof-of-compliance requirements
The percentage who say it has taken IT staff away from other projects
The percentage who say it has created confusion about competing priorities
Source: MeriTalk, “Impact Assessment: Cyber EO Year One,” May 2022
Ultimately, the goal of federal cybersecurity efforts is not to roll out specific solutions or services, but rather to ensure that agencies have the capabilities necessary to prevent, detect and respond to ever-evolving cyberthreats. Here are some of the most important outcomes that federal cybersecurity leaders are pursuing:
The 2021 Executive Order on Improving the Nation’s Cybersecurity specifically directs agencies to move toward a zero-trust architecture. Government agencies actually lead industry in zero-trust adoption, according to Okta, with 72 percent of government organizations already pursuing a zero-trust initiative, compared with 55 percent of companies worldwide. Zero trust is important even for (and maybe especially for) agencies with heavy investments in more traditional cybersecurity measures. Navy CISO Christopher Cleary has noted that the physical cybersecurity perimeter has largely disappeared. “The workforce is getting more distributed,” Cleary told FedTech magazine. “It’s getting more challenging to keep everybody behind the castle walls.”
The 2021 executive order also directs the federal government to adopt robust endpoint detection and response (EDR) solutions. A memorandum from the Office of Management and Budget lays out the following objectives:
- Improved agency capabilities for early detection, response and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices
- Enterprise-level visibility across agency components to better detect and understand threat activity
- Governmentwide visibility through a centrally located EDR initiative to support host-level visibility, attribution and response across federal information systems
No cybersecurity tool is 100 percent effective in preventing intrusions, and network visibility is the next line of defense after attacks make their way into an environment. In fact, some federal officials blamed a lack of network visibility for the difficulties agencies had in identifying and responding to the SolarWinds attack in 2020. Chris Butera, senior technical director for cybersecurity for the Cybersecurity and Infrastructure Security Agency, told FedTech magazine that a mix of solutions such as intrusion detection, SIEM and vulnerability scanning tools can help agencies establish a baseline for normal network activity. “Getting a holistic picture of activity on the wire and at the endpoint is needed to paint that realistic picture of what is happening across your network,” he said.
INVESTIGATION AND REMEDIATION
An August 2021 memorandum from the Office of Management and Budget spells out the importance of investigation and remediation capabilities. The average dwell time (the length of time that cybercriminals spend in an IT environment before they are detected) has actually dropped slightly in recent years, but it is still around three weeks. That’s plenty of time to create serious problems. OMB details steps that organizations should take for activities such as logging, consistent timestamp formatting and security event forwarding to promote investigation and remediation capabilities. “To ensure data integrity, logging facilities and log information must be protected by cryptographic methods from tampering and unauthorized access,” the agency notes.
Key CDW Services
In addition to broad offerings and deep expertise in areas such as the cloud, data center and digital velocity, CDW offers these cybersecurity engagements to help agencies protect their IT environments.
Penetration testing: A comprehensive penetration test allows IT leaders to better evaluate the security of their networks, applications and cloud environments.
Purple team and red team exercises: By simulating real-world attack scenarios with an objective third-party partner, agencies can evaluate the effectiveness of their existing cybersecurity tools and practices.
Zero-trust maturity assessment: This four-week engagement measures an organization’s IT environment against CISA’s Zero Trust Maturity Model. CDW experts and organizational leaders work together to develop a roadmap that drives the organization’s zero-trust strategy and prioritizes cybersecurity projects. The assessment also considers future goals and practices to ensure the recommendations have long-term viability and value.
Residency services: Hiring IT professionals is a challenge for every organization, especially in cybersecurity. CDW residency services bring qualified, talented personnel to an agency’s IT operations for open-ended, onsite engagements. This service offers skills that your team may not have, including engineers and solution architects with expertise in a wide range of technologies.
Story by Sebastian Szykier, who leads the CDW•G Federal Cybersecurity Practice. He has spent the past 20 years making cybersecurity simpler for public sector organizations.