Security

The National Cybersecurity Strategy Requires More Thoughtful Spending from Agencies

Managed security services are an affordable way to comply with evolving federal requirements.

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Federal agencies received a new round of marching orders this summer regarding the shoring up of their cybersecurity defenses.

The Office of Management and Budget released a June memo outlining cyber investment priorities to guide agencies’ fiscal 2025 budget submissions. In July, the White House announced its National Cybersecurity Strategy Implementation Plan (NCSIP), which instructs agencies how best to implement the National Cybersecurity Strategy (NCS).

The Biden administration’s approach to securing cyberspace strategy came out in March and emphasizes shifting some of the burden off of agencies and onto industry.

Agencies must be thoughtful about their cyber-related tech investments amid this abundance of guidance.

What Agencies Need to Know About the NCS’ Five Effort Areas

The NCSIP describes five key areas where effort is needed:

Government must act in a coordinated manner to protect critical infrastructure.
The FBI and the Cybersecurity and Infrastructure Security Agency will continue to disrupt the activities of threat actors.
There must be more transparency in the IT supply chain to ensure accountability.
Technical standards will help ensure a resilient future.
International collaboration bolsters cybersecurity.

All this points the way forward for agencies.

Click the banner below to learn how Backup as a Service boosts data protection for your agency.

The NCSIP “is a big step toward establishing how the U.S. intends to approach the resources, responsibilities and requisites for effective nationwide cybersecurity moving forward,” says Todd Moore, vice president of encryption products at Thales Group.

Within the five pillars, “we’re seeing a strong focus on defending critical infrastructure, disrupting cybercriminals, shaping market forces to drive security and resilience, investing in a secure future, and forging international partnerships to elevate the global security ecosystem,” Moore says.

In calling for closer coordination between government and the private sector, the plan “signals accountability for not only federal agencies but also industry doing business with agencies,” says Alice Fakir, lead partner for federal security services at IBM. “That accountability translates into the agency’s ability to better define scope of delivery and engagement with its industry partners.”

LEARN MORE: Agencies moving to digital recordkeeping shouldn’t neglect backup and recovery.

Security Audits and Public-Private Partnerships Are a Start

While the NCSIP isn’t a blueprint for agencies, they can still take a few steps to get moving, Moore says. For starters, agencies can run security audits to evaluate the effectiveness of their existing cyber measures and resources.

“Once they have their baseline, they can work out how to be compliant with the NCSIP and establish new regulations and initiatives to combat threat actors,” Moore says.

Agencies can also look to public-private collaborations to drive these efforts forward, internally and externally.

“Agencies should focus on relationship building within the sectors they regulate,” Moore says.

He points to the recent example of the Federal Energy Regulatory Commission, which incentivized cyber regulations for utility companies by permitting them to charge higher rates until they recoup their investments in the regulations.

Agencies should also deploy tools for web vulnerability to better protect the average user from online threats.”

Todd Moore Vice President of Encryption Products, Thales Group

Finding Tech that Aligns with the Implementation Plan

Agencies have a range of technology solutions and services available to them, including cyber advisory services, as they look to bolster their cyberdefenses in support of the NCSIP.

Emerging cyber tools post-quantum cryptography and artificial intelligence are two key areas of interest, Fakir says.

IBM has worked with the National Institute of Standards and Technology for the past six years to develop PQC algorithm standards that will be announced in 2024.

“Agencies will need to adopt these standards as part of their ongoing IT modernization efforts creating crypto agility, meaning that their systems are designed and developed to allow for updates or changes in cryptographic algorithms,” Fakir says.

Meanwhile, AI offers faster detection of and response to cyber incidents, helping to augment and raise operational capacity in the face of cyber talent shortages.

Paired with automation tools, AI “can make a real difference in an agency’s ability to not only improve cyber resilience but to also increase efficiency and save costs,” Fakir says. “Relying on traditional tools and processes is no longer enough to protect against attackers that are growing more sophisticated and organized by the day.”

DISCOVER: These are the crucial elements of a Software Bill of Materials.

Overall, the NCSIP creates an opportunity for agencies to lean harder into their IT modernization efforts.

“Not enough agencies have moved away from the legacy technologies, which lack the appropriate security measures to protect vulnerable data,” Moore says. “As a first step, these agencies will need to transition to advanced technologies — artificial intelligence, machine learning, crypto agility — in order to stay engaged and aware of the latest efforts and threats over time.”

Agencies must embrace industry-standard protections where they have not yet done so. Tools that support multifactor authentication, encryption, data security, backup and recovery, and cloud security will likely make their way to agencies as implementation ramps up, he adds.

To the extent that the mission demands it, agencies must adapt to technologies such as anti-virus software, penetration testing, network security monitoring and intrusion alerts. Network security will be crucial to international relations.

“Agencies should also deploy tools for web vulnerability to better protect the average user from online threats,” Moore says.

This may be an opportunity to look to outside consultants to help design, orchestrate and manage a comprehensive security strategy.

“Agencies are overwhelmed with the number of security tools that exist in their environment,” Fakir says. “Because all of these are acquired separately, there is no holistic approach to integrate these capabilities and fully operationalize them, and that’s where the biggest security gaps and risks exist.”

Managed security services address this issue by offering agencies best-of-breed approaches that reduce overhead and align capabilities across government. This is especially important because agencies need to budget for cyber upgrades not once but continually.

Federal requirements continue to evolve, as will agency compliance.

“Over time, we can expect new threats, vulnerabilities and technologies,” Moore says.

Igor Kutyaev/Getty Images