Unpacking the President’s Cybersecurity Executive Order How the EO Impacts You and Your Agency
Table of Contents 24 · What the EO Means for the Cloud Cybersecurity and the Cloud Details
3 · Executive Summary
4 · At a Glance: Government Cybersecurity Nationwide
27 · How to Innovate in Cybersecurity (or Anything Else)
7 · The Zero Trust Security Capabilities Your Agency Needs
28 · What the EO Means for Zero Trust Cybersecurity Cybersecurity and Zero Trust
11 · 3 First Steps Towards Adopting Zero Trust
31 · Simplifying Your Agency’s Cybersecurity in 3 Steps
12 · The Cybersecurity Executive Order: Your Questions Answered
32 · How CISA is Leading the Way on the Cybersecurity EO
13 · What the EO Means for People Cybersecurity and Workforce Details
35 · How to Mature Your Agency’s Cybersecurity
15 · 3 Reasons to Leverage LiFi at Your Agency
36 · How the EO Could Mature State and Local Cybersecurity
16 · What the EO Means for Processes
Cybersecurity and Workflow Details
39 · How to Climb Your Agency’s Cybersecurity Mountain
19 · How to Create a Zero Trust Security Culture
40 · EO-Ready Best Practices for Cybersecurity
20 · What the EO Means for Data Cybersecurity and Information Details
45 · Securing Your Agency’s Future With Zero Trust Security
23 · 3 Ways to Continuously Progress on Security
2
Security Posture Details
46 · Conclusion
A GovLoop Guide
Executive Summary Like no time before, cybersecurity is a national
incidents. Lastly, these agencies will modernize
In 2021 alone, America has suffered massive
using tools such as cloud computing, data
problem demanding a national response. disruptions to some of its gas pipelines, meatpacking plants and more.
Now, constituents nationwide wonder which
their operational and informational technology encryption and zero trust cybersecurity.
Collectively, these actions can make any
agency more resilient against cyberthreats.
part of their lives may be disrupted next.
If your agency needs help unpacking the EO
cyberthreats interrupting their business.
best practices, statistics and thought leader
Private-sector companies are worried about Perhaps worst of all, agencies at every level
are unsure they can protect sensitive data and serve the public effectively. Across the United States, the time is ripe for a cybersecurity transformation.
Enter America’s most sweeping cybersecurity policy yet. In May 2021, President Joe Biden issued an executive order (EO) aimed
at strengthening every part of national
cybersecurity. Federal agencies will lead the
charge, changing their people, processes and technology in ways that their state and local peers will likely replicate.
and what it means, this guide can help. The interviews we share can quickly align your agency with Biden’s cybersecurity EO. This resource will:
• Explore the latest anecdotes, data,
developments and quotes to understand government cybersecurity nationwide
• Analyze the EO’s impact on five key areas: the cloud, data, people, processes and zero trust cybersecurity
• Share insights from major federal, state and local thought leaders that can improve your agency’s cybersecurity
Although rank-and-file employees may not
feel the impact of these changes immediately
or have a direct role in carrying out all the EO’s
• Provide tips for making your agency’s
mission closely fit the cybersecurity EO
requirements, there are trickle-down effects. No
The old way of practicing cybersecurity is not
EO pushes for stronger individual and collective
their cyberdefenses. Here is how the new EO
matter your role or your agency’s mission, the
working, so agencies should rapidly modernize
cybersecurity overall.
brings government cybersecurity into the future.
For instance, federal employees will strive to
share more information about cybersecurity risks, threat intelligence and mitigation
with their public-and private-sector peers. Federal agencies will also try to improve
their processes for detecting, preventing,
responding to and logging cybersecurity Unpacking the President’s Cybersecurity Executive Order
3
At a Glance: Government Cybersecurity Nationwide 7 Cybersecurity Terms to Know The following terms are vital to understanding today’s public-sector cybersecurity landscape.
1. Advanced persistent threats (APTs): APTs
from email to social media. Although
unauthorized access to computer networks
people by using realistic deceptions.
are cyberthreats that allow bad actors to gain and then avoid detection for long periods of time using stealth. While typically linked to
nation-states, APTs can be any cybercriminals who conduct large-scale intrusions. APTs can
cause serious economic, political and national security damage, making them one of today’s biggest cyberthreats.
2. Endpoints: Endpoints are the various devices — such as laptops and mobile phones — that can connect to IT networks. As the number of
endpoints increases, cybersecurity becomes more difficult for agencies. Endpoint
cybersecurity will only grow more important as remote work’s popularity explodes.
3. Malware: Malware refers to any malicious
software that is created for purposely harming computers, networks and IT. Any software that unintentionally damages these technologies is usually called a bug, glitch or vulnerability.
Malware also comes in many forms, ranging from computer viruses to ransomware.
common, phishing works because it victimizes
5. Ransomware: Ransomware threatens to block access to or leak a victim’s sensitive
data unless a ransom is paid. Increasingly prevalent, this malware can also upend
agencies’ operations. Experts often caution
against paying ransomware ransoms, as this money can fund additional cybercrime.
6. Social engineering: Social engineering
occurs when cybercriminals psychologically manipulate people into performing actions such as revealing confidential information.
At agencies, social engineering can interrupt operations, damage public trust or cost
money. Social engineering can come from
any hostile source inside or outside an agency.
7. Zero trust: Zero trust is a cybersecurity
model designed to automatically distrust every device, user or other entity on an IT network. These entities can access
agencies’ resources only after having their identities verified. Zero trust cybersecurity
4. Phishing: Phishing involves attackers
thus covers everything inside and outside
sending fake messages that trick victims into
a network’s perimeter; this philosophy also
malware on their computers. In recent years,
systems and assets.
revealing sensitive information or installing
helps agencies continuously monitor their IT
cybercriminals have phished using everything
4
A GovLoop Guide
Federal Cybersecurity Spending The Biden administration’s federal budget for fiscal 2022 contained many items suggesting cybersecurity may become a bigger national priority going forward.
$9.8 billion
the projected amount of funding for securing federal civilian networks, protecting national infrastructure and supporting information-sharing efforts. The money would also fund
related standards and best practices between the federal government, critical infrastructure partners and American businesses in fiscal 2022. Source: The White House
$750 million
the projected amount of funding for agencies affected by recent significant cybersecurity incidents to address exigent gaps in their security capabilities in fiscal 2022.
Source: The White House
Federal IT Spending IT spending relates to cybersecurity as it illustrates the scope of the networks that agencies might have to defend.
$97.1 billion
the projected amount of total federal IT spending in fiscal 2022, up from $92.9 billion in
fiscal 2021.
Source: Federal IT Dashboard
$25.6 billion
the projected amount of the above total that will go toward major IT investments, vs $71.5 billion that will go toward minor IT investments.
Source: Federal IT Dashboard
Unpacking the President’s Cybersecurity Executive Order
Accelerate Transformation To meet the variety of missions you encounter every day, you need responsive IT. Dell Technologies offers federal agencies the technology expertise, end-to-end solutions and world-class service you need to be prepared for what comes next. DellTechnologies.com/Federal
6
A GovLoop Guide
Industry Perspective
The Zero Trust Security Capabilities Your Agency Needs An interview with Cameron Chehreh, Chief Technology Officer and Vice President, Presales Engineering, Dell Technologies
As good as it sounds, zero trust security will be too big a lift if agencies rely on manual processes.
The federal government’s latest cybersecurity
executive order (EO) pushes agencies to adopt this strategy, which requires them to apply security
controls every time users or devices attempt to
access resources, not just at network perimeters. But how can agencies from the top down wield
zero trust security without being weighed down by manual workflows?
One potential answer is by provisioning and
managing IT infrastructure through software — an approach known as infrastructure as code (IaC). “We firmly believe that infrastructure as code is
the most powerful thing you can leverage to get a zero trust reality in today’s world,” said Cameron Chehreh, Chief Technology Officer and Vice
President, Presales Engineering at Dell Technologies, a computer hardware and software provider.
Chehreh shared three zero trust security capabilities that IaC can unlock for agencies:
1. Analytical visibility
2. Automated security Automation happens when machines perform
simple, manual tasks with little to no human input. When security basics like patching software are
automated, the result is budgetary and labor savings for agencies. Freed from such routines, public-sector employees can pursue more complicated — and
fulfilling — tasks for their agencies. The outcome is a win for everyone involved.
“Automation is critical for staying ahead of the adversary,” Chehreh said.
3. Orchestration Why is automation so powerful? Ultimately, the
reason is orchestration. Orchestration automates computer system and software configuration,
coordination and management, making it crucial for applying zero trust security principles quickly and easily.
Take least-privilege access, a zero-trust security tenet that states that people need only the bare
minimum of assets to accomplish their jobs. Through orchestration, agencies can rapidly apply this
Analytics involves systematically studying data and
statistics with computers. Without this, agencies may
remain in the dark about their security. Subsequently, visualizing their security analytics can help agencies properly understand and address the risks facing their sensitive assets.
For example, analytics can help agencies see where
cyberattacks are happening so their employees can
monitor potential threats in those areas more closely. “We can make better-informed decisions about how to protect our data and applications,” Chehreh said.
strategy agencywide.
“Orchestration allows you to make these kinds of decisions so you can do the most with the finite resources you have,” Chehreh said.
Effortlessly applying traits such as analytical visibility, automation and orchestration to zero trust security may seem impossible, but IaC can make the
intangible tangible. Using IaC platforms like the one
Dell Technologies provides, agencies can accomplish all their zero trust security goals in one place.
“I can use a simple suite of tools for my entire zero trust security posture,” Chehreh said.
Unpacking the President’s Cybersecurity Executive Order
7
The Technology Modernization Fund The Technology Modernization Fund (TMF) is a pool of funding loaned in installments to federal agencies for technology modernization projects like cybersecurity initiatives.
$1 billion
the funds Congress provided to the TMF for modernization efforts — including cybersecurity — as part of the American Rescue Plan. Signed into law on March 11, 2021, the $1.9 trillion bill aims to stimulate the economy in response to the COVID-19 pandemic. Source: General Services Administration (GSA)
4
the number of top priority categories available for potential TMF proposals. In May 2021, cybersecurity was listed alongside modernizing high-priority systems, public-facing
digital services, and cross-government services and infrastructure as top priority proposal categories.
Source: GSA
State Government Cybersecurity State agencies often have more budget dollars and employees than their local peers, but fewer of these resources than their federal equivalents.
No. 1
the ranking state chief information officers (CIOs) assigned to cybersecurity and risk management when asked to rate their top 10 priorities for 2021.
Source: National Association of State Chief Information Officers (NASCIO)
8
the number of consecutive years state CIOs ranked cybersecurity and risk management first among their top 10 priorities as of January 2021. Source: NASCIO
8
A GovLoop Guide
StateRAMP StateRAMP is a nonprofit organization that certifies cloud solutions that meet basic cybersecurity standards for holding state and local data. The group is modeled after the Federal Risk and
Authorization Management Program (FedRAMP), which determines if cloud solutions meet certain security requirements for storing federal data.
January 2021
StateRAMP launched after being conceived in February 2020.
Source: StateRAMP
April 2021
StateRAMP membership officially opened to state and local government officials and cloud providers.
Source: StateRAMP
State Cybersecurity and IT Modernization Rankings The Internet Association’s (IA) State, Local, Tribal, and Territorial Information Technology Advancing Reform Achievements (SITARA) scorecard rates states’ cybersecurity preparedness and IT modernization strategies.
0
states achieved “exceptional” or “excellent” ratings for either their cybersecurity preparedness or IT modernization plans in 2020. The SITARA scorecard’s other rankings are “very good,” “good,” “baseline,” “getting started” and “needs help.” Source: IA
3
states scored “very good” on their cybersecurity preparedness and IT modernization plans in 2020: California, Florida and Minnesota. Source: IA
Unpacking the President’s Cybersecurity Executive Order
9
CYBER THREATS DON’T REST, AND NEITHER DO WE. With over 20 years of experience working in the most secure government and corporate environments, Sterling’s highly certified security and network engineers are your go-to experts for cyber readiness. Protect, prepare, recover.
Take our Cyber Security Assessment Today at:
STERLING.COM/CYBERSECURITY/
connect@sterling.com
10
877.242.4074
www.sterling.com A GovLoop Guide
Industry Perspective
3 First Steps Toward Adopting Zero Trust An interview with Michael Phetteplace, Director of Cybersecurity, Sterling
The Biden administration’s recent executive order
(EO) on cybersecurity has put zero trust security at the top of the agenda.
By directing federal agencies to develop plans for adopting zero trust security for network
architectures, the EO makes a strong case for why state and local agencies should follow suit.
“Zero trust security is about eliminating our bad habit of allowing implicit trust in our
systems,” said Michael Phetteplace, Director of
Cybersecurity at Sterling, an IT solutions provider. “In the past, everyone took for granted that
perimeters were secure and wouldn’t be breached. Now, everyone needs to understand that breaches
can improve IT systems’ overall security by dividing them into sections based on security needs. “Agencies need to take a fresh look at their
environments,” Phetteplace said. “Assets that don’t need to communicate with one another shouldn’t be granted the ability to do so.”
Network segmentation can also keep cybersecurity incidents from paralyzing agencies. Take data breaches. During security incidents, network
segmentation can keep cybercriminals from venturing deeper into agencies’ data.
3. Encrypt data Data encryption is the act of converting information
are inevitable and plan accordingly.”
into a format that, ideally, only authorized parties can
Phetteplace shared three important steps that can
information, such as Social Security numbers, about
help agencies start implementing the directive to adopt zero trust security:
1. Adopt multi-factor authentication Multifactor authentication (MFA) improves
the security of the user verification and login
process. The traditional username and password
combination is augmented with additional factors that are not as easily compromised, such as
hardware or software tokens, SMS passcodes
or fingerprints. Once verified, users can access resources like data or networks.
“Multifactor authentication has become a
fundamental security requirement,” Phetteplace
said. “It is the first line of defense against credential compromise.”
Using MFA, agencies can increase the likelihood
decipher. Government employees protect sensitive the public they serve so data encryption can help prevent painful cybersecurity incidents.
“If attackers get access to data, it is of little use
to them if it is properly encrypted,” Phetteplace
said. “Also, have we secured encryption keys and
mechanisms properly? We need to ensure we don’t
provide bad actors the capability to decrypt our data.” Companies like Sterling can give agencies the
building blocks they need to implement zero trust security agencywide – whether it is from users to networks to data centers or to the cloud. In
addition, Sterling provides solutions that automate
cybersecurity processes for agencies using artificial intelligence (AI) and machine learning, gathering and processing threat intelligence from multiple sources at machine speed.
that their users are who they say they are. After all,
Over time, the more that agencies embrace the EO’s
evidence factors.
focus on scoring mission wins.
it is harder for cybercriminals to obtain multiple
message, the more public-sector employees can
2. Segment networks Network segmentation is another cornerstone of zero trust security. Using network segmentation, agencies
Unpacking the President’s Cybersecurity Executive Order
11
The Cybersecurity Executive Order: Your Questions Answered
Securing technology is not only crucial for governments – it is equally imperative for the private sector and the public. Cybersecurity is now a concern that affects every aspect of our lives.
Currently, the United States faces a continuously evolving landscape of persistent and increasingly sophisticated threats. Lone cybercriminals can cause as much damage as hostile nations. The resulting minefield has too many hazards for agencies to defuse all at once.
But the Biden administration’s EO could mark a turning point in government cybersecurity. In years past, agencies from the top down would often make incremental cybersecurity improvements at
best. Going forward, federal agencies may instead make significant investments based on the EO. Gradually, these upgrades could inspire similar moves at state and local agencies.
Ultimately, Biden’s EO could transform how the public sector’s people, processes and technology strengthen cybersecurity. With people, the emphasis will be on information-
sharing, risk management and threat intelligence. For processes, tomorrow’s strategies will gravitate toward capabilities sush as cybersecurity response and recovery. And with technology, agencies will likely use tools such as the cloud more often.
The five breakdowns below dissect the cybersecurity EO’s main components. Each section answers four questions to gauge the impact on federal, state and local agencies. 12
A GovLoop Guide
What the EO Means for People Cybersecurity and Workforce Details Cybersecurity is a team sport, and the best
sector cybersecurity and software suppliers.
information with one another. For instance,
accurately reflect the national identity.
defense occurs when the players all share America’s cybersecurity depends on
This diversity ensures the board’s suggestions
constituents, government employees and
2. How will the EO change how agencies buy software?
this unity, the United States is vulnerable to any
For too long, agencies have relied on software
private-sector workers cooperating. Without cyberthreat.
that reached the market with serious
The EO strives to connect communities across all walks of life. Though the focus is on federal employees, the EO may eventually reach
businesses, state and local agencies and
their respective customers too. The goal is an
America where the public and private sectors
actively trade knowledge about cybersecurity risks, threat intelligence and mitigation.
1. Who will help agencies after future cyberattacks? The EO marks the debut of the Cyber
Safety Review Board. Much like the National
Transportation Safety Board analyzes airplane crashes and other transit mishaps, the
Cyber Safety Review Board will investigate cybersecurity incidents after they occur. After each examination, the board will
recommend potential improvements to national
vulnerabilities. Fixing these flaws is expensive and time-consuming, and many products present
agencies with hidden security risks. Using these
weaknesses, cybercriminals can penetrate both public-and private-sector IT networks.
The new cybersecurity EO takes several steps to correct this problem. First, it establishes baseline security standards – such as
making security data publicly available – for developing federal software. Second, the EO
creates a public-private process for developing innovative approaches to secure software
development. Lastly, it launches a pilot program to label software that was developed securely. The program’s “Energy Star” labels will assist agencies, businesses and the public with
quickly gauging which software best meets their cybersecurity needs.
cybersecurity. Over time, the group hopes to
3. How will the EO alter public-private partnerships?
from past mistakes.
When it comes to threat intelligence, many
enhance the nation’s cyberdefenses by learning How will the board work? The answer is pairing federal and private-sector co-chairs. The
Homeland Security Department secretary will convene the Board after significant incidents. Federal representatives will include civilian,
military and intelligence agencies. The secretary will also select representatives from private-
barriers exist between public-and private-sector
workforces. After cyberattacks, many IT providers are reluctant to reveal embarrassing details
about their security practices; these companies
may also have contractual obligations with their clients that prevent them from disclosing details about a cybersecurity incident.
Unpacking the President’s Cybersecurity Executive Order
13
We Petal Technology.
Technology solutions you’re going to be
Wild about!
Wildflower is honored to serve the United States Federal Government, including its National Laboratories, doing so for three decades. We have long-term experience delivering complex technologies and services with a proven record of consistent, successful accomplishments. Our program and supply chain methodologies are a commitment to delivering the highest quality products, service, and support for customers in the public sector.
Contracts We Serve:
Solutions:
Services:
Certifications:
Army ITES SEWP-V SCMC GSA DOE-Motorola-ICPT First Source II
Data Centers Communications Security & Cyber Security Cloud Solutions IT Hardware Unmanned Aerial System
Artificial Intelligence Cloud Managed Services Warehouse & Logistics VAR
FAA 107 Pilots ISO 9001:2015 FOCI Q Clearance L Clearance HubZone Small Business Woman Owned Minority Owned
First Source II
wildflowerintl.com / (505) 466-9111 / information@wildflowerintl.com 14
A GovLoop Guide
Industry Perspective
3 Reasons to Leverage LiFi at Your Agency
An interview with Fernando DeLosReyes, Solutions Architect Manager, Wildflower International Sometimes, too many people want the same thing.
“Setting LiFi up is incredibly easy,” DeLosReyes
wireless networking technology – which uses radio
this technology.”
Take WiFi. For years, agencies have relied on this
waves – to exchange data between digital devices. But now, the radio frequency (RF) spectrum is
getting crowded. And although new parts of the RF spectrum, such as the 6 GHz spectrum, are becoming available, every day more devices
connect to the network and add to the congestion. For agencies, the result can be slower and less
said. “We can go anywhere in the world and use
2. Reduce interference Radio waves are vulnerable to interference from common devices such as baby monitors, cell phones and microwaves. Furthermore, WiFi is
often unreliable in areas like airports and hospitals because of RF congestion.
reliable communications. Even worse, the data
LiFi avoids these pitfalls because fewer devices rely
from security threats like signal jamming.
boasts the potential for higher connectivity than
involved in these communications faces more risk Enter LiFi. LiFi is a wireless technology that uses
cones of light to exchange data rather than radio waves. With LiFi, agencies can communicate
not only faster and more consistently, but more securely, too.
“There is a limit to the RF spectrum,” said Fernando DeLosReyes, Solutions Architect Manager at
Wildflower International, an IT solutions provider. “LiFi can reduce the RF footprint.”
DeLosReyes discussed three benefits that adopting
on light waves. Even better, LiFi’s lighting not only
WiFi’s radio waves, but provides higher security, too. That’s because cones of light are easier to contain in enclosed spaces than radio waves.
3. Strengthen security Speaking of security, LiFi is free of many of the
potential vulnerabilities plaguing WiFi. For instance,
data transfers involving WiFi are easier to detect and
interfere with than their LiFi counterparts. All agencies
handle sensitive citizen data, so this reality can cause major security problems for their workforces.
LiFi can provide to agencies:
“Security is paramount to agencies’ security and
1. Lighten workloads
emerged as a very compelling wireless technology.”
our national security,” DeLosReyes said. “LiFi has
WiFi requires antennas, access points and receivers to operate, so installing access points can become difficult and time-consuming for agencies. For
instance, establishing WiFi in a tactical environment involving tents for a military unit may take many labor hours and running networking cables.
Ultimately, LiFi solutions like those Wildflower
provides can help agencies see their data exchange and security in a new light.
“We’re bringing what is coming around the corner to our customers,” DeLosReyes said.
Additionally, mounting, securing and managing
these WiFi networks can become more complicated as the number of access points grows.
LiFi can reduce most of this clutter. Typically, LiFi installations require only one cable for both the
technology’s light and networking capabilities. As a
result, agencies spend less energy, money and time establishing LiFi than they would WiFi.
Unpacking the President’s Cybersecurity Executive Order
15
The cybersecurity EO strives to remove many of these obstacles. It eliminates many of
the contractual restraints that businesses
currently have when reporting incident and
threat intelligence to agencies such as the FBI
What the EO Means for Processes Cybersecurity and Workflow Details
that investigate and remediate cybersecurity problems. The EO additionally requires IT
providers to share details about breaches that could affect government networks. Together, these actions streamline the
communication among everyone involved in national cybersecurity.
4. What does the EO mean for state and local agencies? The EO could give state and local agencies
more cybersecurity resources. Take the Cyber
Agencies should not overlook the benefits of
modernizing their cybersecurity processes. Take automation, which can perform simple, manual tasks with little to no human input. Automating tasks like patching software vulnerabilities
reduces workloads for government employees while performing some of their responsibilities
faster. At their best, quality workflows like these can make agencies more capable of serving the public and earning mission wins.
Safety Review Board. After noteworthy attacks,
Take the advantages healthy cybersecurity
safer from cyberthreats.
these workflows can make employees more
A nationwide labeling system could also make
disaster strikes, these workers have processes
the board could make state and local agencies
state and local agencies more informed about the security of the software products and
services they purchase. By procuring higher-
rated tools, agencies of every stripe may reduce or even avoid painful cybersecurity experiences. Potentially, the EO’s largest benefit is connecting the private sector and state and local agencies. Private-sector insights could help state and local agencies find, stop and recover from
potential threats. For instance, companies could notify state and local governments when they have suffered a breach that may harm their constituents and employees.
processes offer agencies’ workforces. Internally, prepared for cybersecurity incidents. When that are faster, more flexible and more
collaborative. As a result teams are not only
more capable of handling cyberattacks, they are more resilient too.
Robust cybersecurity processes can also
benefit the public. Once implemented, clear
workflows can provide more accountability and
transparency about cybersecurity to constituents.
1. Is there a standard response for cyberattacks? Agencies cannot wait until their technology is compromised to decide how their workforces
will respond. Recently, countless cyberattacks
have demonstrated that cybersecurity maturity varies wildly across every category of agency.
The cybersecurity EO will help overcome these pitfalls by creating a standard playbook for responding to cybersecurity incidents. This
playbook will provide agencies with a common 16
set of cybersecurity terms. The document
EDR programs strive to make organizations
should take when identifying and stopping
cybersecurity. The goal is to construct processes
also recommends concrete steps agencies cybersecurity threats. The playbook will declare which National Institute of Standards and
Technology (NIST) cybersecurity standards agencies must follow. Once all the federal
proactive, rather than reactive, about
for active cyberthreat hunting, containment,
remediation and incident response at federal agencies.
agencies are on the same page about
4. How will the EO touch state and local cybersecurity processes?
and the private sector follow suit.
Frequently, starting from scratch is the hardest
cybersecurity, the hope is that other agencies
2. How does the EO change how agencies log cybersecurity events? The information from network and system logs can assist agencies with investigating and
remediating cybersecurity incidents. But some agencies do not properly log this information, making it more difficult to detect intrusions,
mitigate ongoing breaches and determine the
damage from an attack. Without these insights,
agencies may not know the security of the data they are storing on premises or with third-party vendors like cloud providers.
To tackle this challenge, the cybersecurity EO
will set requirements for logging and protecting incident details. These policies will cover
everything from how long to retain logs to how to
safekeep the information they contain. Eventually, the EO’s policies will ensure that security teams
part of establishing routines. Fortunately, the
EO explains how federal agencies will set the
standard that state and local agencies can use for their own cybersecurity processes.
Consider the federal playbook for engaging
with cybersecurity events. By giving state and local agencies an example to emulate, the
playbook reduces the amount of time they
might spend drafting their own documents.
State and local agencies typically have smaller budgets and workforces than their federal
counterparts, so any advantage counts when dealing with cyberthreats.
The same principle applies to other
cybersecurity processes such as event-logging
and EDR guidelines. By standardizing the tactics federal agencies use, the EO may prompt
similar activities at state and local agencies.
have centralized access and visibility into every cybersecurity incident log at their agencies.
3. How should agencies approach cybersecurity next? Contact sports need rules, and cybersecurity is
no exception. To that end, Biden’s EO will outline the federal government’s Endpoint Detection and Response (EDR) initiative. Like other EDR
strategies, the federal version will continually monitor endpoint data to find and stop the cyberthreats menacing these devices.
17
Innovate, Grow, Know with ThunderCat Technology and Dell Technologies
CLOUD ANALYTICS SECURITY INFRASTRUCTURE 18
Guide T H U N DAEGovLoop R C AT TECH.COM
Industry Perspective
How to Create a Zero Trust Security Culture
An interview with Justin Robinson, Chief Technology Officer of Cyber and Analytics, ThunderCat Technology Government cybersecurity is like dieting. Publicsector employees know that protecting their
agency’s data and other assets is healthy but
making strong cyber hygiene stick agencywide is easier said than done.
After all, many agencies could improve how their
teams collaborate on cybersecurity. More importantly, these agencies could phase out perimeter-based
security. Too often, threats have emerged from both
inside and outside agencies’ perimeters, proving that this is not the optimal approach.
Enter zero trust security. Unlike perimeter-based security, zero trust automatically assumes that
every entity on agencies’ networks is untrustworthy. By continuously monitoring risks in this way,
2. Start small Robinson also cautioned agencies against
immediately implementing zero trust security
agencywide. Instead, he urges them to apply zero
trust principles to narrow parts of their operations. “Don’t roll out new applications or services and give
them authority to operate without first running them through a zero-trust exercise,” Robinson said.
For instance, least-privilege access is the idea
that employees should receive only the minimum amount of access to the resources their roles
require. To try zero trust security, an agency could
practice least-privilege access with one application rather than the entire organization.
agencies can cultivate a thriving security culture.
3. Boost teamwork
“Zero trust is not a tool or product,” said Justin
For too long, many network and security teams
and Analytics at ThunderCat Technology, an IT
security. To succeed, zero trust security needs to
Robinson, Chief Technology Officer (CTO) at Cyber solutions provider. “It is something that has to be inherent in day-to-day IT operations.”
have worked alone while defending their agencies’ upend this model.
“Zero trust security requires a culture within the
Robinson listed three steps agencies can take to make
organization where the collaboration is open,”
zero trust security habitual within their workforces:
Robinson said.
1. Take stock of current security tools
Beyond people and processes, zero trust security
Different agencies have different needs and
different security stacks. Security stacks contain
all the tools in an agency’s security inventory, so
accurately understanding these toolsets is crucial for zero trust security.
“Every organization has gaps based on their maturity level,” Robinson said of security stack assessments.
Once an agency understands its stacks, employees can add features like continuous monitoring that
anchor zero trust security. Continuous monitoring constantly evaluates agencies’ resources for potential security risks in real time.
additionally demands that agencies change their technology. Fortunately, IT solutions like those
ThunderCat Technology provides can give agencies
capabilities like real-time situational awareness that altering their workforces and workflows cannot. With guidance from ThunderCat Technology, agencies can create zero trust security architectures that
optimize the capabilities they have while plugging their gaps.
“It’s not about starting with your entire environment, every application you’re running, the network and
workloads,” Robinson said. “You can start to move
towards zero trust instead of boiling the entire ocean.”
Unpacking the President’s Cybersecurity Executive Order
19
What the EO Means for Data Cybersecurity and Information Details
Agencies must walk a delicate tightrope when
past, unencrypted data facilitated many
sensitive information like health care details
for cybercriminals. With the federal government
handling data. On the one hand, data contains that constituents expect agencies to keep
private. On the other hand, securing this data cannot be so complicated that it slows down government employees.
balancing both concerns hard for agencies.
Data attracts cybercriminals, as they can often
profit off personally identifiable information (PII) such as Social Security numbers quickly and
easily. Nation-states are even more concerning:
The data hostile governments steal can hurt U.S. national security.
these fears by mixing modern tools with fresh perspectives on handling data. Implemented correctly, Biden’s cybersecurity EO can assist agencies with guarding one of their most
Agencies should make accessing their data as hard as possible, and encryption helps them
do exactly that. Encryption translates data into another form that can be unlocked only with a decryption key such as a password. Because
encrypted data can be deciphered only with the right tools, only the correct people can typically
20
Much like encryption, multifactor authentication (MFA) can make a difference with data security. MFA grants users access to resources such as
data only after they have presented two or more pieces of evidence verifying their identities.
These identity factors include something only individual knows (their address) or something unique to the individual (their fingerprint).
The EO stipulates that all federal agencies must deploy MFA. From the top down, this
preventing unauthorized access to their data
1. How will agencies need to protect their data differently?
for their resting and in-transit data. In the
they have not already.
cybersecurity tool can assist agencies with
precious resources.
all federal agencies embrace encryption
agencies may also adopt encryption soon, if
the individual has (a key), something only the
The federal government hopes to soothe
Biden’s cybersecurity EO mandates that
leading by example, scores of state and local
2. How will government employees need to handle data differently?
The reality is that cybercriminals make
access this information.
cyberattacks, so this rule could erase this option
and other assets.
3. How will agencies need to rethink their data practices? Biden’s EO demands that federal civilian
executive branch (FCEB) agencies understand their high-value data assets. Rather than treat all their data the same, the EO tasks
these agencies with evaluating which types of unclassified data they have and how sensitive each type is.
These evaluations will help FCEB agencies
identify which unclassified data types are the most sensitive, and which varieties are under A GovLoop Guide
the greatest threat from cybercriminals. More importantly, these analyses will decide the most appropriate processing and storage solutions for each FCEB agency’s information.
Although the EO’s details about unclassified data apply only to FCEB agencies, this data security philosophy can benefit any agency.
4. How can the EO assist state and local agencies with data security? The best federal data security practices can also pay off for state and local agencies. Although the
latest cybersecurity EO does not require state and local governments to implement its data security policies, these that do will benefit.
Look at encryption. Encryption is a simple step any agency can take to make its data harder for cybercriminals to exploit. MFA, meanwhile, can put guardrails between sensitive information and the people who are not supposed to interact with it. Additionally, determining how sensitive their data is — and what risks it faces — can make cybersecurity easier for any government.
The quest to protect your organization requires always-on full content indexing and rapid recovery. With machine learning capabilities and more, the Dell Technologies Cyber Recovery solution is able to act quickly to recover important data. Post-attack forensic are also able to quickly identify the attack vector.
22
A GovLoop Guide
Industry Perspective
3 Ways to Continuously Progress on Security
An interview with Tad Northcott, Plan Executive, Navy and Marine Corps; Dave Deppisch, Market Leader, Navy, Marine Corps, Air Force and the Defense Information Systems Agency; and Glenn Jensen, Software Account Executive, Insight Public Sector When it comes to security, agencies are used to doing more with less. Not only can budget
constraints limit options, but priorities can shift and talent can grow scarce. No matter the obstacle, even one roadblock can impede meaningful security advancements.
But what happens when today’s cyberthreats evolve
and agencies cannot keep up? Too often, the result is a costly and humiliating security incident. To prevent this, agencies need the ability to continuously refine their security capabilities and defenses.
“The bad guys never stop,” said Glenn Jensen, Software Account Executive at Insight Public
2. Leverage continuous monitoring Continuous monitoring is a vital component of
zero trust security because it detects changes to
agencies’ IT environments in real time. Whether it
is an emerging threat, vulnerability or compliance
issue, continuous monitoring makes sure agencies
are always informed about their security landscapes. “Annually, lots of agencies scramble to prepare for
cybersecurity inspections,” said Tad Northcott, Plan
Executive, Navy and Marine Corps. “With continuous monitoring, they’d know where they are before an annual review.”
Sector, a business-to-business and IT solutions
3. Add multifactor authentication
progress and improve.”
that agencies are increasingly leaning on for their
provider. “Cybersecurity requires us to continually The Insight Public Sector team shared three steps agencies can take to keep their security ready for anything:
1. Assess security capabilities Agencies frequently do not know the state of their
security personnel, processes and tools. By having
a trusted vendor assess their capabilities, agencies can pursue goals that elevate their overall security agencywide.
Multifactor authentication (MFA) is another tool
security needs. When users approach agencies’ sensitive data and other assets, MFA asks them for at least two pieces of proof to confirm their identities, such as a birthplace, fingerprint or something else.
All agencies have unique goals, but IT providers like
Insight can assist them by identifying their potential
security gaps. Insight can then provide agencies with specific tools — such as continuous monitoring and
MFA solutions — that can meet their mission demands.
“You can evaluate your current state and then move up the stairs to the state you want to get to,” said
Dave Deppisch, Market Leader, Navy, Marine Corps, Air Force and the Defense Information Systems
“What agencies have told us is that they want to leverage private-sector best practices,” Jensen said. “Our goal is to help them meet that need.”
Agency (DISA).
For instance, a vendor assessment can tell agencies how prepared their operations are for zero trust
security. Zero trust security involves distrusting all
computing entities, so agencies may need to ready
their devices, users and other assets before adopting such a dramatic shift in security strategies.
Unpacking the President’s Cybersecurity Executive Order
23
What the EO Means for the Cloud
Cybersecurity and the Cloud Details
Presently, cutting-edge cybersecurity often
Regardless of the cloud model involved, the EO
and securing legacy IT can prove costly, difficult
technology in its agencies’ futures.
features IT modernization because maintaining and risky.
reveals that the federal government sees the
2. How will future cloud adoptions work for agencies?
Yet that does not mean every agency
has adopted cloud computing. The cloud
Since 2011, the Federal Risk and Authorization
decentralizes IT infrastructure to deliver
computer resources such as data storage ondemand. Although this format gives agencies unparalleled flexibility and scalability, cloud
migrations can take more effort than agencies initially realize.
Management Program (FedRAMP) has authorized which cloud products and
services can host federal data. By leveraging
FedRAMP’s cloud security standards, the Biden administration made the program one of its cybersecurity EO’s biggest stars.
Recognizing this, Biden’s EO prods agencies to
use the cloud while acknowledging some may
do so partially or not at all. While the EO hopes to
accelerate public-sector cloud use, it also covers securing computer systems on premises, in the cloud or a hybrid of both models.
No. 1 among the EO’s FedRAMP priorities is
leveraging a governmentwide strategy for
federal cloud security. This strategy will try to
ensure that agencies broadly understand the risks from cloud-based services and how to effectively address them.
1. Will all agencies have to use the cloud? According to the cybersecurity EO, different
A technical reference documenting secure cloud architecture is another goal. Once
agencies are at different stages of cloud
implementation. Consequently, the document’s various cybersecurity details can apply to onpremises, cloud-based or hybrid IT.
released, this resource will illustrate
recommended approaches to cloud migration
and collecting, protecting and reporting on data for agencies.
But the EO is also clear that the federal
Lastly, the order tasks FedRAMP with identifying
adoption. The EO not only calls for faster federal
to agencies based on incident severity. This
government wants to speed up its overall cloud cloud migrations, it even lists three potential models for agencies.
the cloud services and protections available
framework will also list the data and processing activities associated with these services
First up are Software-as-a-Service (SaaS) clouds,
and protections.
which license centrally hosted software on a
Together, these steps ensure that agencies can
(IaaS) clouds decentralize IT infrastructure, while
with FedRAMP’s expertise.
subscription basis. Infrastructure-as-a-Service Platform-as-a-Service (PaaS) clouds do the
adopt cloud quickly, securely and intelligently
same for computing platforms hosting agencies’ desired applications. 24
A GovLoop Guide
3. How might the EO’s cloud details transform federal agencies’ work?
4. How could the EO morph state and local cloud security?
The better people understand the cloud, the
Where federal agencies go, state and local
to the cloud’s rising prominence within the
different, and many state and local governments
better the technology will benefit them. Due federal government, the new cybersecurity
EO takes steps to inform agencies’ employees about FedRAMP.
Chief among the cybersecurity EO’s FedRAMP education opportunities is a new federal
agencies will likely follow. The cloud is no
may copy their federal companions once they realize the technology’s benefits. Similarly,
the way federal agencies secure their cloud
products and services may become equally successful for state and local workforces.
training program. Once established, this
Beyond simply adopting cloud, state and local
trained and equipped to manage FedRAMP
data. But to host this desirable commodity,
initiative will ensure that federal employees are authorization requests. This learning opportunity will also include training materials and on-
demand videos that inform federal workers about FedRAMP’s role in securing cloud products and services.
agencies may also crave access to federal
state and local cloud environments may have
to comply with FedRAMP’s security benchmarks. Ultimately, the state and local agencies that
do not follow FedRAMP’s standards may miss powerful federal insights.
Someday, introducing FedRAMP tutorials to the
federal talent pool could prompt state and local agencies to craft their own versions.
25
LET’S MAKE
IMPOSSIBLE REAL Every business is at the edge of a new digital frontier. At Dell Technologies, we’re building the technology solutions to transform the impossible into reality. So you can go further than you ever imagined.
26 26DellTechnologies.com
A GovLoop Guide A GovLoop Guide
Industry Perspective
How to Innovate in Cybersecurity (or Anything Else) 5 Tips for Agile Operations Provided by Technology Integration Group
Nowadays, it is no secret the public sector needs more cybersecurity innovation. From the top
level down, agencies nationwide are endlessly
defending their resources from cyberthreats — and
cyberthreats are constantly reinventing themselves, so agencies must keep up.
Yet innovation is difficult without resilience.
Resilience is the ability to respond to, recover from and continuously function during disruptions;
without resilience, agencies may find innovation hard to reach.
Thankfully, agencies can rapidly acquire both
attributes by imitating the private sector. Take
2. Conduct analyses agencywide Innovation also requires gathering as much
information as possible about potential next steps.
Understanding their current operations, architecture life cycles and frameworks can not only assist
agencies with refining their business needs but help them model their future routines.
For instance, look at data storage. Currently, many agencies have legacy IT that they cannot easily
restore after cyberattacks. However, using cloud
computing, agencies can store backup copies of their data and become more resilient.
Technology Integration Group (TIG), an IT solutions
3. Build blueprints
methodology that can make agencies more
need roadmaps. For the best results, agencies should
provider. TIG’s “Start Right” philosophy is a business
All innovations, including the cybersecurity variety,
innovative and resilient.
measure how innovations might transform their
Here are five ways agencies can become resilient innovators, according to TIG:
financial impact of any changes, agencies can craft
1. Engage with challenges Before agencies innovate, they must clearly
understand their business needs. First, they must
decide how and what innovations may elevate their credibility and work. Next, these agencies must
determine which of their existing capabilities already contribute toward the potential innovations. Finally,
these agencies should craft proposals that capture each innovation’s impact.
Take data encryption, which converts data into
a form that, ideally, only authorized parties can
decipher. Agencies handle sensitive data about
citizens, so protecting this information is vital for preserving public trust. Agencies without data
encryption can start applying it by determining
which information is most critical and may need encryption first.
operations. By predicting the potential benefits and the best possible solutions for their workforces.
4. Make the case Innovators must articulate how the changes they
are proposing can take root at agencies and what investments they need to enact them. Without
these details, agencies may lack lasting innovation and resilience.
5. Implement effectively To optimize the benefits they reap from innovations, agencies must first determine the best way to
implement them. Ideally, implementations unfold
using roadmaps tailored to produce the maximum
number of advantages from the solutions involved. Innovation may seem difficult on paper, but
partners like TIG can demonstrate what consistent, simple innovation looks like. Over time, innovative agencies have the agility to stay resilient when cyberthreats come calling.
Unpacking the President’s Cybersecurity Executive Order
27
What the EO Means for Zero Trust Cybersecurity Cybersecurity and Zero Trust Security Posture Details
Biden’s cybersecurity EO may pinpoint the
For any government, this mentality hinges on the
a public-sector routine. The EO’s stipulation
to the newest intern — is instantly capable of
moment zero trust cybersecurity becomes
idea that no one – from the highest executive
that federal agencies construct zero-trust
cybersecurity architectures hints that state and local agencies will probably follow suit.
This posture nonetheless requires a radical
can remain static in an endlessly changing
agency. Unlike traditional cybersecurity, this
threat environment. Amid this chaos, the best
philosophy acknowledges that cyberthreats
can emerge either inside or outside a network’s perimeters. To deal with this paradigm, zero trust cybersecurity demands that agencies
continuously monitor their entire IT ecosystems for danger in real time. Most importantly, this
mindset assumes that every entity — whether it is a device, a user or something else — is
untrustworthy until its identity has been verified.
with the flow when it comes to new pitfalls. What makes zero trust cybersecurity so
dynamic? Continuously monitored data that
comes from multiple sources in real time. Zero trust cybersecurity involves constant scans of every piece of agencies’ IT infrastructure
to ensure that no strange activity slips past Zero trust cybersecurity can be rigorous work,
Zero trust cybersecurity erases automatic trust in computing entities. Whether these elements are applications, devices, services, users or
other options, nothing immediately receives the keys to an agency’s kingdom.
This mindset may seem unusual to government employees who are not familiar with least-
so agencies should consider automation a
part of their implementation process. This frees
humans for more complicated work by reducing their initial workloads.
3. Why does zero trust cybersecurity work if practiced properly? For decades, organizations assumed walling off
privilege access. Least-privilege access
permits access to only the bare minimum of the resources someone’s job requires. Zero
trust cybersecurity can thus prevent anyone from overstepping their bounds and causing
28
approach is dynamic cybersecurity that can go
undetected.
1. How could zero trust cybersecurity change employees’ routines?
security incidents.
2. How can zero trust upgrade how agencies perform cybersecurity? Zero trust ends the notion that cybersecurity
shift in security thinking for every type of
inside or outside a network’s perimeters
engaging with the organization’s assets.
their networks would be enough to halt potential cyberattacks. While useful, this approach didn’t account for cyberthreats that could bypass network perimeters or come from inside organizations themselves.
Zero trust cybersecurity views breaches as
inevitable, so it restricts computing entities A GovLoop Guide
from touching resources they do not need when possible. Gradually, this format allows agencies to
contain the damage from a compromise. This approach also establishes normal security patterns, forcing suspicious behavior to bubble up so agencies can block it sooner.
Zero trust cybersecurity can answer who, what, where, when, why and how agencies’ computing capabilities are being used.
4. Why should state and local agencies follow federal agencies’ lead on zero trust cybersecurity? State and local agencies often have fewer cyber defenses at their disposal than federal agencies. Many state and local agencies must do more with less on cybersecurity because of their smaller budgets and workforces.
Used correctly, zero trust cybersecurity can make many of these hurdles disappear. With the right training, any employee can practice zero trust cybersecurity effectively. Its status as a state of mind also makes
practicing it often cheaper than buying more cyber defenses.
Fed Tech
without the Friction Federal IT leaders are laser focused on the mission, and the technology needed to advance it. Procurement complexity, however, can slow progress to a crawl. Future Tech clears a path to faster innovation with its commitment to “Frictionless Procurement.” Offering IT solutions from more than 700 OEMs, including Dell Technologies, we’re a single source for your mission-critical technology requirements. We speed access through the latest GWAC contracts—including SEWP V and GSA. And, our ace Federal Acquisitions team is with you every step of
Learn more about how Future Tech and Dell Technologies can accelerate innovation in your agency.
Contact: Govops@ftei.com
the way, taking on the heavy lifting and executing flawlessly so you can focus on what matters most – the mission.
30
A GovLoop Guide
Industry Perspective
Simplifying Your Agency’s Cybersecurity in 3 Steps
An interview with Fred Hoffmann, Chief Information Officer, Future Tech Enterprise, Inc. The longer that agencies have depended on their
“When organizations do not have a comprehensive
these tools behind. The reason is simple: the more
silos, we see trouble,” Hoffmann said.
legacy technology, the harder it is for them to leave time that agencies invest in legacy technology, the more energy and money they spend on it, too.
But legacy technology is gradually making publicsector cybersecurity more challenging. Like walls that have weathered away, legacy technology is increasingly leaving agencies exposed to cyberthreats.
“When organizations have older versions of
software and databases and are relying on legacy solutions, the level of vulnerabilities is far more
view of their IT infrastructure, or make decisions in So, how can agencies reduce their cybersecurity silos? One option is making IT infrastructure evaluation and upgrade management comprehensive and holistic.
“This is the best way to minimize risk, optimize the value of your IT investments and facilitate any technology changes across an organization,” Hoffmann said.
3. Adopt artificial intelligence
extensive,” said Fred Hoffmann, Chief Information
Cloud computing’s decentralized infrastructure
solutions provider.
like data storage on demand. As such, modernizing
Officer (CIO) at Future Tech Enterprise, Inc., an IT
Hoffmann shared three moves agencies can make to help their people, processes and tools leave legacy
allows agencies to leverage computing resources IT often involves cloud adoption because of the technology’s flexibility.
technology in the past.
But securing clouds can prove difficult when
1. Act agencywide
IT, off-premise IT or a hybrid of both. Take cloud-
agencies construct environments using on-premise
When it comes to cybersecurity, Hoffmann
recommended that agencies start by making the topic a constant concern agencywide.
“Cybersecurity is not just an IT issue,” he said. “It is a
legal, human resources and risk management issue.” Take cybersecurity training. By consistently training
based data. The different IT systems involved with this information can make protecting it difficult.
Enter artificial intelligence (AI). AI mimics human
cognitive abilities such as reasoning, so it can lend agencies’ employees a hand with cybersecurity issues like defending cloud-based resources.
employees on cybersecurity agencywide, agencies
“Optimizing cloud security starts with heavy and
computing to their unique roles.
solutions, which are designed to provide rapid
can show workers how to apply modern IT like cloud
targeted investments in the latest AI-powered
detection and response to threats,” Hoffmann said.
2. Scrap silos Agencywide cybersecurity is important for another
reason – eliminating silos among teams. Not only are siloed agencies less prepared for cyberthreats, but
these agencies may also struggle with modernizing technology quickly, affordably and efficiently.
Providers like FTEI can help agencies map out
agencywide modernization journeys involving cutting-edge tools like AI.
“We always strive to be the easiest and most flexible partner for agencies to work with,” Hoffmann said.
Unpacking the President’s Cybersecurity Executive Order
31
How CISA is Leading the Way on the Cybersecurity EO Because cybersecurity is a team sport, the Cybersecurity and Infrastructure Security Agency (CISA) may be America’s coach. CISA is a federal agency responsible for elevating government cybersecurity nationwide. Whether the threat is a
cybercriminal or a hostile nation, CISA helps protect its federal, state and local
partners by improving cybersecurity coordination and defenses.
Naturally, Biden’s recent cybersecurity EO closely fits CISA’s mission. From sharing threat
intelligence to practicing zero trust cybersecurity, the EO outlines several key strategies CISA urges agencies to follow going forward.
GovLoop discussed CISA’s role in implementing the new cybersecurity EO with Deputy Executive Assistant Director for Cybersecurity Matt Hartman.
This interview has been lightly edited for brevity and clarity.
GOVLOOP: How is U.S. cybersecurity doing?
need to be in terms of cybersecurity, our
country needs sustained investments in both
HARTMAN: In terms of where we’re doing
well, the first thing that comes to mind is that
many, many, many years.
we are making our adversaries work harder
Recent events have again highlighted the
doing debasement, particularly in the
or solution can prevent an attack from a
MFA, encrypting data and rapidly patching
multiple layers of defense and security
by more consistently and more thoroughly
truth that no one security control, vendor
federal space. It is things like implementing
nation-state adversary. It is going to take
vulnerable systems.
measures to protect an organization. And
The challenge is that while we continue to
continue to represent a great challenge to
improve our defenses, shore up our cyber
hygiene and take advantage of some lowhanging fruit as a federal enterprise, our adversaries are becoming increasingly
even with all that in place, it is going to
keep sophisticated adversaries from gaining access to networks that represent strategic
interest to them, which is why one of the first
sophisticated and brazen. To get where we
32
cybersecurity and IT modernization over
principles of zero trust cybersecurity is to assume breach.
A GovLoop Guide
This is the reason the EO sets out these
tangible actions to raise the bar on the
federal government’s ability to detect and respond to cybersecurity incidents. The
shared end goal is to ensure that our critical infrastructure – which keeps our global
community working through thick and thin –
is a hard target for those who seek to disrupt it. And when that critical infrastructure is
disrupted, we are collectively able to limit the
impact to the functions that we as Americans rely on every day.
What cybersecurity best practices do you recommend for aligning with the EO? On the federal front, recent cyberthreat
campaigns continue to highlight that our federal networks are on the frontlines of
cyberattacks against our nation. This reality
makes it essential that we think of the federal government more as an enterprise. As part of this enterprise mentality, we can better
manage our collective risk. There is a need for greater visibility, increased shared services
How would you like to see the public and private sectors share threat intelligence based on the EO?
and more cost-effective capabilities.
For state and local governments, recent events have forced us as an entire U.S.
The private sector is increasingly uniquely
government to focus a tremendous amount
threats and vulnerabilities to our federal
ransomware attacks. To that end – and to
One of our primary roles at CISA – and the
cyberattacks – CISA recommends following
positioned to domestically identify key
of effort on combating the recent rise in
infrastructure and our nation’s infrastructure.
minimize the risk of ransomware and all
one we take most seriously – is to serve
three cybersecurity best practices.
as the hub for public-private informationsharing in a cybersecurity incident report. In this past year’s National Defense
Authorization Act, CISA was provided the authority and resources to stand up a
joint cybersecurity planning office to lead the development of and to coordinate
the execution of a whole-of-government – and whole-of-nation – cyber defense plan. It is integrating the capabilities of the U.S. government, the private sector
and our state, local, tribal, territorial and
international partners with the sole focus of
defensive cybersecurity planning. It is going to be extremely beneficial in enhancing
our ability to quickly develop a common
One, report your incident to CISA and law
enforcement. We are here to help, and if you call one of us, you call all of us.
Two, ensure your business operations can
remain operable in the event of a large-scale IT disruption. It is not only important to have business continuity and incident response plans in place, it is imperative to test your plans regularly.
Third, remember that almost all intrusions stem from weaknesses in internet-facing systems. If you can do one thing, assess
your posture and fix these external-facing vulnerabilities.
operating picture and provide rapid
assistance to both federal and non-federal organizations that have or may have been targeted by adversaries.
Unpacking the President’s Cybersecurity Executive Order
33
Equity Drives Impactful Technology Transformation Both technology and equity are centered around change. So what if technologists and the mission teams they support considered how a cloud solution or IT service enabled them to serve a diverse public equitably? Embrace change to get the best of what cloud and equity have to offer. Read the article to learn how Red River’s Chief Technology Officer and Design Engineering Manager explain how they oversee Red River’s technology strategy through an equity lens.
READ THE ARTICLE
TECHNOLOGY DECISIONS AREN’T BLACK AND WHITE. THINK RED. 34
A GovLoop Guide
REDRIVER.COM
Industry Perspective
How to Mature Your Agency’s Cybersecurity
An interview with Kevin Steeprow, Senior Vice President, Engineering, Red River Recently, most of the public sector has realized that
their cybersecurity practices have some growing up to do.
The COVID-19 pandemic prompted more
governments to work remotely than before, but
many found that they were not equipped to defend networks extending beyond their office walls. Thankfully, there is an answer for agencies.
Cybersecurity maturity measures how ready and
able agencies are to address their risks. During crises like viral pandemics, cybersecurity maturity can help agencies avoid painful disruptions.
But maturing agencies’ cybersecurity is easier said
than done. To reach maturity, today’s agencies must assess how their cybersecurity risks affect their people, processes and technology.
“Everyone knows what the end state is,” Kevin Steeprow, Senior Vice President, Engineering at Red River, a software provider, said about
cybersecurity maturity. “Unfortunately, there is no silver bullet or magic wand to get them there.”
Steeprow suggested three steps that agencies can
these discoveries can help agencies gradually strengthen their cybersecurity.
2. Start SOCs Security operations centers (SOCs) are centralized
units that handle organizational and technical issues. For cybersecurity, SOCs typically analyze, monitor and defend valuables like data.
“If you have a good SOC or a good partner providing SOC services, it can give you a proactive and
preventive look at what’s going on,” Steeprow said. By protecting cybersecurity in one place, SOCs can
remove many of the silos that sometimes separate agencies’ teams.
3. Embrace zero trust security Zero trust security dictates that agencies should never automatically trust the users, devices
and other computing entities on their networks.
Ultimately, making zero trust security second nature
at agencies lets them continuously monitor for – and then mitigate – potential cybersecurity threats.
“It is understanding what information you have and
take to increase their cybersecurity maturity:
who has access to it,” Steeprow said. “Just because
1. Take stock
you get the keys to the kingdom.”
Cybersecurity touches scores of agencies’
resources. Whether it is data, networks, users or
something else, agencies at every level have lots of ground to cover.
The truth is that understanding all these concerns
can be challenging. To chart a clear path, Steeprow recommended that agencies initially assess how their cybersecurity is performing agencywide.
“It is about what you have and what is most critical for you,” he said. “You don’t take on the elephant in one fell swoop.”
you’ve passed that original boundary doesn’t mean Cybersecurity maturity requires daily
improvements. The good news is that providers like Red River provide expertise about topics including
security assessments, SOCs and zero trust security to help agencies constantly raise the bar on their cybersecurity maturity and accomplish their unique goals.
“We want to help you be a Swiss Army knife,”
Steeprow said. “Let’s find the right tool for the right job.”
Security assessments can measure things like how many software vulnerabilities agencies have, and
Unpacking the President’s Cybersecurity Executive Order
35
How the EO Could Mature State and Local Cybersecurity Often, the federal government can seem like an older sibling to
state and local governments. The average federal agency has a
larger budget and staff than most state and local agencies; federal
organizations are also more likely to steer state and local agencies
Doug Robinson
Meredith Ward
down the trails they blaze.
Cybersecurity is no different, and the recent EO on this topic covers many moves federal agencies
are familiar with. Although the EO does not force any state or local governments to follow suit, they may want to mirror many of the document’s minutiae.
GovLoop spoke with NASCIO Executive Director Doug Robinson and Director of Policy & Research Meredith Ward about how Biden’s cybersecurity EO could make the public sector’s overall cybersecurity more mature.
The interview below has been lightly edited for brevity and clarity.
GOVLOOP: Where are state and local agencies struggling with cybersecurity?
we have today, the fact that across the
board – from elected to appointed officials,
particularly elected officials – cybersecurity
ROBINSON: Generally, the states are not
organized to succeed around cybersecurity. They don’t have enterprise governance
capabilities and disciplines in their
Their investments are not commensurate to
the risk. That is more problematic at the local
36
I look at this as a business problem that
needs to be articulated without this constant
organization to succeed in cybersecurity.
business risk. I think that’s part of the gap
an IT issue. “That’s the CIO’s problem – that’s now seen that come full bore.
By that I mean they don’t have the requisite
I think that cybersecurity is a significant
understood. They still want to think of this as an IT issue.” But it’s a business issue. We’ve
that’s strong.
government level.
is not embraced, cybersecurity is not well
fear. This is life in the digital age, and we need to become more mature in how we address
it. That’s the whole core of the EO, a whole set of directed actions that makes the federal
government mature and modern. State and local agencies are dealing with the same thing.
A GovLoop Guide
What effect might the EO have on state and local cybersecurity? WARD: State and local governments take a lot of direction from the federal government. What I think the EO can do is provide a model for state and local governments without having a mandate. I think it can help state and local governments with their own best practices. It’s always good to take an inventory of what they’re doing on a day-to-day basis and how that might improve.
Why is sharing threat intelligence important for agencies at every level?
because there’s a high degree of concern
about something like classified information. What happens is that by the time Arizona’s chief information security officer gets the
information, for example, it is not useful to them. It has got to be more than simple information-
sharing – it has got to be broad collaboration. It is a whole-of-government discussion.
What is the main takeaway from the EO for state and local agencies? ROBINSON: I think the main thing is that
the EO is very comprehensive. It provides a
good roadmap for state and local leaders to look at and say, “What can we do?” The EO
WARD: As we get more connected as a
reinforces what state and local governments
thinner and thinner. To protect our federal,
modern. You must understand the risks and
society, it’s almost like our borders are getting
need to do to become more mature and
state and local government, it’s critical that
make sure you fund them.
everyone take an interest in cybersecurity.
WARD: Every government in our country
There is currently no requirement in most
understands that cybersecurity is a huge
incidents they might have. But if there’s
more everyone plays their roles, the better off
states for the private sector to report any
concern, and everyone has a role to play. The
an attack on a private-sector company or
we are going to be.
institute, it could likely affect state and local networks, higher education and things like that, too.
This goes to the concept we call “all of state.” Everyone in a state has a role to play in
cybersecurity. It is state governments, local governments, the private sector, higher education, etc.
ROBINSON: We’ve heard for years that
actionable intelligence-sharing is an area
that needs lots of improvement. There has got to be more collaboration and less just
throwing stuff downstream to state and local agencies. Frankly, there are lots of times they do not know what to do with information
because there’s so much latency built in, or Unpacking the President’s Cybersecurity Executive Order
37
“The mission is not insurmountable,
How to Climb Your Agency's Cybersecurity Mountain An interview with Katie Hanahan, Vice President, Cybersecurity Strategy, ITsavvy
In the public sector, overthinking cybersecurity is almost as bad as not considering it enough. For many agencies, cybersecurity is like standing at the foot of a mountain without any idea how to scale it. Yet the only way over a mountain is one step at a time, and the same is true for cybersecurity. For agencies unsure about how to approach cybersecurity, the answer is basic cyber hygiene. 38
© Copyright 2004-2021. The ITsavvy marks are trademarks of MT & Associates LLC.
A GovLoop Guide
but it can feel that way sometimes,” said Katie Hanahan, Vice President, Cybersecurity at ITsavvy, an IT solutions provider, while discussing cyber hygiene. “You can’t climb a mountain without knowing how to get to the top one step at a time.”
Email info@ITsavvy.com to start. IT Products. Technology Solutions. Peace of Mind.
Industry Perspective
How to Climb Your Agency’s Cybersecurity Mountain An interview with Katie Hanahan, Vice President, Cybersecurity, ITsavvy In the public sector, overthinking cybersecurity is almost as bad as not considering it enough. For
many agencies, cybersecurity is like standing at the foot of a mountain without any idea how to scale it. But the only way over a peak is one step at a time,
and the same is true for cybersecurity. For agencies
unsure about how to approach it, the answer is basic cyber hygiene.
Cyber hygiene covers the steps that computer users
can take to protect their organization’s online security and system health. By mastering fundamental cyber hygiene, agencies can enable their employees to defend resources like data.
2. Avoid alert fatigue Alert fatigue is when the amount of cybersecurity alerts exhausts the people addressing them. At agencies, alert fatigue can overwhelm
cybersecurity teams that may already have small budgets or workforces.
Fortunately, agencies can reduce alert fatigue
using security operation centers (SOCs). SOCs are centralized units that deal with security issues like cybersecurity on organizational and technical levels. After partnering with an external SOC
or starting their own, agencies can shift some cybersecurity burdens away from their staff.
“The mission is not insurmountable, but it can
“The benefit is that you’re outsourcing this piece
President, Cybersecurity at ITsavvy, an IT solutions
your organization can focus on the work at hand,”
feel that way sometimes,” Katie Hanahan, Vice provider, said of cyber hygiene.
Hanahan shared three ways that agencies
can elevate their cybersecurity by refining their cyber hygiene:
to someone else so that the IT people you have in Hanahan said.
3. Test cyberdefenses The best armor is battle-tested often, and
cyberdefenses are no exception. To avoid painful
1. Transform training
cybersecurity incidents, agencies can perform tests
Too often, agencies treat cybersecurity training as check-the-box training. When it comes to
cybersecurity, however, the more practice workers
have, the better. For example, agencies can conduct agencywide lessons quarterly rather than annually. “We have to make sure we are doing this training with every level of employee,” Hanahan said.
Take email security. Hanahan recommended
that agencies instruct everyone from leaders to HR employees about why suspicious email
attachments should be avoided. The reason? Some suspicious email attachments may download malicious software onto agencies’ networks.
that detect security gaps without any lasting damage. Take penetration tests evaluate IT security by
letting researchers safely expose vulnerabilities.
Another option is simulated cyberattacks, which let agencies practice how they might respond to real security incidents.
Although cybersecurity might seem daunting,
providers like ITsavvy can give agencies the security assessments, assistance and training they need for mission wins.
“We have the right ecosystem of partnerships to help them achieve their goals,” Hanahan said of ITsavvy. “We can get through this and do this together.”
Unpacking the President’s Cybersecurity Executive Order
39
EO-Ready Best Practices for Cybersecurity The Biden administration’s EO on cybersecurity may become a before-and-after moment in the history of government cybersecurity.
That does not mean the EO will not matter to everyday Americans. Across every layer of the
nation’s public sector, government employees can make a difference in cybersecurity—that does not just benefit their agencies. Someday their cybersecurity contributions may aid the private sector and constituents, too.
The main takeaway governments should have from the new EO is that all their employees can
play their part in safeguarding national cybersecurity. Whether an entry-level hire or an agency leader, no role is too small to lend a hand.
Here are eight ways — two for each category of government employee discussed here — to
bolster U.S. cybersecurity from coast to coast. These tips are inspired by the federal, state and local thought leaders in this guide.
Rank-and-File Personnel
2. Stay informed. Cybersecurity never stops morphing.
1. Embody skepticism. With cybersecurity, every government employee can approach their work with more caution. No one wants to make their agency a cyberattack statistic, but the truth is even small security
informed about this critical topic should consider every training available to them. Even basic
lessons about topics the EO covers — like cloud security — can prevent painful experiences.
missteps can become big incidents.
As a result, all government workers should be wary of potential cybersecurity traps such as
suspicious emails. Another place for constant
vigilance is possible technology vulnerabilities. Whether these potential flaws reside in
applications, IT networks or elsewhere, spotting them early can avoid costly security incidents.
Ultimately, any employee can contribute toward
better cybersecurity by avoiding suspicious links, email attachments and other possible pitfalls. 40
Government employees who want to stay
Although such cybersecurity education is
useful, not every government employee has the energy, money or time for classes. One alternative is following cybersecurity news
such as relevant EOs when the opportunity
presents itself. Another solution is getting the
gist of subjects like the latest cybersecurity EO
from trusted coworkers. Ultimately, even novice
cybersecurity knowledge is better than nothing at all.
A GovLoop Guide
Agency Management and Leadership
4. Think enterprisewide.
3. Promote cybersecurity learning.
a business risk that endangers their entire
Speaking of the macroscopic, many
organizations do not consider cybersecurity
Knowledge is power, but no cybersecurity
enterprise. At these places, organizational
that remain unaware of them. Consequently,
leaving other teams out of the loop about this
insights can reach government workforces
leaders may treat cybersecurity as an IT issue,
those in leadership positions should encourage
pivotal topic.
cybersecurity learning options whenever possible.
Agency leaders and managers can avoid this
Picture the supervisor of a close-knit team
shortcoming by erasing the silos that exist
individual could enroll in cybersecurity training
communication and information-sharing
cybersecurity EO and urge their teammates to
cybersecurity EO recommends, it reminds
at an agency. Leading by example, this
among their teams. Not only does this improve
related to acts like the Biden administration’s
about threat intelligence, as like the recent
do the same. Afterward, this leader can explain
everyone that they are in the same boat.
the training’s message to others who missed the event.
Positivity is another essential element. Federal,
state or local, every agency’s leaders hold sway
At a more macroscopic level, an agency’s
over a workforce’s morale. Praising successes,
their mission. The people with leadership
can all keep an agency’s talent optimistic about
leaders prioritize the way their talent pursues
encouraging progress and avoiding negativity
abilities should remember they can help steer
their enterprisewide cybersecurity.
their agency’s cybersecurity posture toward goals outlined in directives like EOs.
Unpacking the President’s Cybersecurity Executive Order
41
IT Personnel
6. Remember no one is safe. Recall the new cybersecurity EO’s emphasis
5. Show others the ropes.
on zero trust cybersecurity. One of zero
Tools such as encryption and MFA may be
commonplace across the private sector, but that does not mean these capabilities are
equally widespread across the public sector. more collaboration between IT personnel and
their peers. By instructing their coworkers about how to use tools like encryption, IT personnel
can ensure these security practices become entrenched agencywide.
government IT personnel, internalizing this
principle can drastically improve the quality of Let us start with preparedness. By assuming
cyberattacks are a given, no agency’s IT talent
will ever stop looking for them. This quality does not mean government IT teams expect failure;
rather, it means they are always trying their best to prevent it.
This attitude could align agencies with the
recent cybersecurity EO’s technological details. become second nature if no one understands how to use them.
that security incidents are inevitable. For
their work.
How can agencies change this? One idea is
Ultimately, EO mandates such as MFA cannot
trust cybersecurity’s foundational tenets is
Next, ponder responding to and remediating
cybersecurity incidents. IT employees who expect successful attacks against their agencies also
know how to respond while they are happening and how to recover from the fallout.
42
A GovLoop Guide
Procurement Officials 7. Bake security into the process. The Biden administration’s recent EO covers
everything from software supply chain security to cloud adoption. Procurement is one avenue
any agency hoping to meet the EO’s standards can use to do so more quickly and easily. Think about secure cloud adoption. By
demanding that cloud vendors abide by
FedRAMP’s security requirements, procurement officers can ensure their agency aligns with
the EO. The same thinking can mold contracts related to the EO’s other details, like zero trust cybersecurity architectures.
8. Shop around. Return to the national system for ranking
software security that the Biden administration’s EO will create. Once fully realized, this system
will become a detailed roadmap for evaluating, rating and purchasing secure software.
When this apparatus becomes operational, procurement personnel should make
referencing its rankings second nature. Until then, there are several ways procurement teams can improve their agency’s security during contracting. Evaluating how well products and services comply with all
applicable global, federal, state and local
cybersecurity regulations is a sound first step.
The agencies that consider how the products and services they acquire will follow the EO’s
guidelines will have a head start on living the
Another idea is avoiding long contracts that lock agencies into partnerships with vendors that do not meet their needs.
document’s full intent every day.
Unpacking the President’s Cybersecurity Executive Order
43
44
A GovLoop Guide
Industry Perspective
Securing Your Agency’s Future With Zero Trust Security An interview with David Pipes, Senior Solutions Architect, Affigent
The recent cybersecurity executive order (EO) has a clear message – zero trust security is coming soon. Starting with federal agencies, the public sector is now racing toward this new security strategy.
But implementing zero trust security can be long, difficult and costly without forethought. How can
agencies avoid getting bogged down by their zero trust security journeys?
2. Leverage productization Productization is the process of developing or
changing workflows, ideas, skills and services so
they can be marketed and sold to buyers. In terms of zero trust security, productization can help
agencies leverage products and services for their unique concerns, rather than creating their own solutions and workflows from scratch.
The answer is carefully considering how
automation, effort, investments and processes fit
zero trust security. Without this roadmap, agencies
may struggle to adopt zero trust security efficiently and affordably.
Take an agency that handles classified data.
By obtaining zero trust security products for this
information, it can save energy, time and budget
dollars its workers might have spent addressing the same need.
“The idea of going all out for a full solution is one only extremely knowledgeable and well-funded organizations can consider today,” said David
Pipes, Senior Solutions Architect at Affigent, an IT solutions provider.
Pipes detailed three steps agencies must take
before zero trust security becomes second nature:
1. Learn the basics
“Primarily, it helps by reducing the cost and complexity of implementation,” Pipes said of productization.
3. Avoid vendor lock-in Vendor lock-in happens when switching solution providers for capabilities like zero trust becomes
so cost-prohibitive agencies cannot do so easily. Pipes recommended that agencies avoid this
pitfall by exercising caution until zero trust security
Before agencies can embrace zero trust security,
their employees must grasp how it works. After all, much of the zero-trust mindset marks a radical departure from traditional security.
For instance, traditional security had perimeters
around agencies’ IT networks to keep threats out. In contrast, zero trust security assumes cybersecurity breaches are inevitable because threats can
emerge either inside or outside such perimeters. To prevent as many incidents as possible, zero trust
security continuously monitors data, networks and systems in real time for threats.
tools are standardized.
“Don’t get swept up by early adopter product hype,”
Pipes said. “Custom implementations are expensive and hobbled by the lack of standards.”
Affigent can assist agencies with adopting zero trust security by offering the tools that make
the most sense for their workforces. These tools
automate parts of zero trust security, like continuous monitoring, so they happen with little to no human input. Ultimately, this helps agencies reap the best returns from zero trust security based on their specific efforts, investments and processes.
“My advice at this point is to let your staff learn about zero trust and perhaps try some small implementations,” Pipes said.
Unpacking the President’s Cybersecurity Executive Order
45
Conclusion The past two years have witnessed a troubling rise in the frequency and severity of cyberattacks. No matter where these security incidents occur, even the smallest one jeopardizes national normalcy. The Biden administration’s cybersecurity EO suggests Americans are stronger together than apart when it comes to cybersecurity. Although cybersecurity is a constant concern, the EO equips the United States to weather this storm by bringing the public and private sectors closer together on topics such as threat intelligence.
Beginning with the federal government, the EO modernizes cybersecurity in ways that will strengthen state and local agencies, too. From there, this document unites the public, private and constituent sectors against global cyberthreats. Although nothing is certain with cybersecurity, the EO dramatically improves America’s cybersecurity odds.
About GovLoop
Thank You
GovLoop’s mission is to inspire public-sector
Thank you to Dell Technologies and its partners:
network for government. GovLoop connects
Red River, Sterling, Technology Integration
professionals by serving as the knowledge
more than 300,000 members, fostering crossgovernment collaboration, solving common
problems and advancing government careers. GovLoop is headquartered in Washington, D.C.,
Affigent, Future Tech Enterprise, Insight, ITsavvy, Group, ThunderCat, and Wildflower for their support of this valuable resource for public sector professionals.
with a team of dedicated professionals who
Author
For more information about this report, please
Designers
share a commitment to the public sector. reach out to info@govloop.com.
Mark Hensch, Senior Staff Writer
Nicole Cox, Junior Graphic Designer
govloop.com | @govloop
46
A GovLoop Guide
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop
Unpacking the President’s Cybersecurity Executive Order
47