For Feds, Compliance Is as Much a Part of Security as Technology
Across the federal enterprise, agencies face an array of cybersecurity threats. These include dangers arising from the proliferation of the Internet of Things, legacy systems that need to be patched and modernized, email systems that need to be secured from phishing threats, endpoints and more.
In addition to the changing threat landscape, agencies must remain cognizant of existing and emerging compliance requirements that affect how they protect information and technology assets.
Agency business and technology leaders must stay abreast of these requirements and ensure that they can operate in their own evolving technology environment in accordance with all relevant laws and regulations.
At the federal level, President Trump issued an executive order in May 2017 directing federal agencies to adopt a risk-based approach to cybersecurity and to immediately work to modernize cybersecurity controls. Agencies subject to this executive order should pay specific attention to the significant cybersecurity risks posed by systems with known vulnerabilities.
SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!
Policies and Regulations Keep Agencies' Networks and Apps Safe
The Department of Homeland Security’s Trusted Internet Connections program seeks to provide a consistent level of security across agencies to ensure that all agencies have a secure, trusted path to the internet. The TIC initiative seeks to consolidate internet connections to a manageable number and then provide security services across those trusted connections.
As FCW reports, earlier this year, DHS revealed that it is on an initiative known as TIC 3.0, that will seek to make the TIC more agile as employees increasingly use mobile devices and as legacy applications get migrated to the cloud. Mark Bunn, program manager of the Federal Network Resilience Division at DHS, said the “push to refresh TIC is a reaction to the explosion of the popularity of cloud computing as well as the emergence of new cybersecurity programs, like Continuous Diagnostics and Mitigation, that are not accounted for in current policy,” FCW reports.
Recognizing the increasing shift toward cloud services, the federal government also now manages the Federal Risk and Authorization Management Program. FedRAMP provides a consistent process for the evaluation and approval of cloud computing vendors across federal agencies, relieving agencies of the burden of independently evaluating vendor security practices and providing a common level of vendor assurance across the federal government.
And the Federal Information Technology Acquisition Reform Act of 2015 implements new requirements for the appointment of federal agency CIOs and the centralization of procurement practices.
Agencies can also look to peers in federal government for advice on security best practices. The National Institute of Standards and Technology publishes a Cybersecurity Framework (CSF) that provides comprehensive guidance on cybersecurity issues that can form the foundation of any cybersecurity program in the public or private sector. This framework classifies cybersecurity activities into five major functions:
- Identify
- Protect
- Detect
- Respond
- Recover
The CSF then provides policies, standards and best practices for organizations to follow as they implement and manage each of those five cybersecurity functions.
Agencies that choose to adopt a well-defined framework such as CSF will increase their ability to future-proof their infrastructure against new and evolving cybersecurity requirements. By adopting a best-practices approach to cybersecurity, agencies will have a strong foundation in place when new requirements arise.
Learn how federal agencies can address the growing threats they face in the CDW white paper, “Managing Cyber Risks in a Public Sector Environment.”
