Mar 30 2021

4 Pillars for an Effective Agency Cybersecurity Strategy

Zero trust, a more secure supply chain, a cybersecurity framework and certifications can help bolster IT security.

As part of the recently passed American Rescue Plan Act, the Cybersecurity and Infrastructure Security Agency received $650 million to strengthen federal networks, and the Technology Modernization Fund received a $1 billion appropriation.

The plan shows that the Biden administration is taking cybersecurity very seriously, which is a good thing. There are several other initiatives already underway that have a valuable role to play in making networks and the information residing on those networks more secure.

These efforts generally don’t make big headlines. Each initiative has a different role. They are not usually presented as a coordinated, comprehensive strategy to protect federal networks. Taken together, however, they constitute a forward-thinking, best-practices approach to cybersecurity that every agency would do well to explore and execute.

The four pillars are zero-trust architecture, supply chain security, the National Institute of Standards and Technology’s Cybersecurity Framework, and certifications.

1. Zero-Trust Architecture Enhances Government Security

Zero trust is a security architecture that focuses on protecting resources (assets, services, workflows, networks, etc.), not network segments. Its guiding principles are to never trust and always verify, to assume a breach is going to happen, and to verify explicitly.

Unlike traditional perimeter network defense methods, zero trust assumes that any touchpoint on a network represents an attack vector for a hacker. In a zero-trust model, the network validates all user access requests before granting access to critical assets.

While zero trust doesn’t safeguard networks from every possible attack, it reduces the risk of advanced threats and breaches by thwarting unauthorized lateral movement and access, speeding up threat detection and response, and closing gaps in visibility.

Last August, NIST published SP 800-207 to codify zero-trust architecture models. In February, the National Security Agency published “Embracing a Zero Trust Security Model,” which is a common-sense explanation of zero-trust principles, including a zero-trust maturity model to help implementers gauge their adoption efforts.

The joint Defense Information Systems Agency and National Security Agency zero-trust engineering team is producing the Defense Department’s zero-trust reference architecture, which should be published soon, providing guidance to the entire DOD on how to implement zero-trust architectures.

According to a recent survey, zero-trust architecture adoption is on the rise; nearly half of all federal agencies are adopting zero trust and interest is increasing. Former DISA Director Vice Adm. Nancy Norton said in December that the Defense Department is accelerating its shift to zero trust because the increase in telework due to COVID-19 gives adversaries a larger attack surface.

The administration’s TMF funding proposal could be a prime opportunity to speed adoption of zero-trust architectures.

DIVE DEEPER: What role will the new national cyber director play in cybersecurity response?

2. A Secure Supply Chain Is More Vital Than Ever

The government relies on ever-expanding legions of vendors and contractors for a variety of functions.

Hackers can infiltrate an agency’s network through an outside party that has access to the agency’s systems and data. This is what happened in the recent cyberattack on IT vendor SolarWinds.

As NIST notes in a blog post, “Vulnerabilities in the cyber supply chain — really a complex network of connections rather than a single strand — involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put them all together, and it can be a daunting task to anticipate every systemic weakness that an adversary might exploit.”

It’s critical for federal agencies to have visibility into their supply chain digital interactions and regularly examine them for security vulnerabilities to keep track of all the paths a hacker may exploit. That way, the agencies can better identify exposures and respond quickly if an intrusion occurs. To assist industry, the government in recent years has been providing detailed guidance for evaluating cyber supply chain risk management.

NIST, in an April 2018 update to its Cybersecurity Framework, added a new section about supply chain risk management. NIST followed that up in February, publishing NISTIR 8276, “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry.” This provides guidance to industry on ways to implement cyber supply chain risk management.

MORE FROM FEDTECH: What other supply chain risk management best practices should your agency follow?

3. NIST’s Cybersecurity Framework Remains Critical and Relevant

The NIST Cybersecurity Framework, released in 2014 during the Obama administration and revised in 2018 during the Trump administration, is a set of standards, guidelines and best practices to manage cybersecurity risk.

The framework can be a little hard to digest at first, but it is useful in helping operators of critical infrastructure identify, assess and manage cyber risk, and home in on areas for improvement. Appendix A, table 2 is probably the easiest way to get the gist of the document; it is downloadable as an Excel spreadsheet on the NIST Cybersecurity Framework web page.

Additionally, NIST published SP 800-172, a supplement to SP 800-171 Rev. 2, with recommendations for enhanced security requirements that can help organizations protect high-value assets and information in critical programs.

EXPLORE: What are best practices for ensuring a secure supply chain?

4. Certifications Provide Stronger Security Assurance

Certifications provide demonstrable security compliance for various products. When the federal government procures products, certification compliance provides a baseline security comfort level.

The government implements three primary certification programs that impact security of IT/network and cloud products and services: the NIST Cryptographic Module Validation Program, the National Information Assurance Partnership (NIAP) Common Criteria protection profiles and the Federal Risk and Authorization Management Program (FedRAMP).

The FIPS 140-2 and 140-3 Cryptographic Module Validation Program validates cryptographic algorithm implementation at different levels of compliance. NIAP Protection Profiles define a series of security functional requirements for various product types (VPN gateways, network devices, firewalls, etc.). FedRAMP offers different levels of security assurance for cloud products and services based on a standardized approach to security assessment, authorization and continuous monitoring.

It takes a lot of time and effort to earn certifications under these programs, but they provide strong levels of assurance to the government that the certified products meet acceptable security implementation levels.

As these four pillars show, many resources exist to improve network security within and in partnership with the federal government. While there are no easy answers to improving U.S. cyber defenses and much more work remains to be done, excellent frameworks exist that agencies and other organizations can leverage for a sound cybersecurity strategy.

gremlin/Getty Images