Unpacking the President’s Cybersecurity Executive Order

Page 1

Unpacking the President’s Cybersecurity Executive Order How the EO Impacts You and Your Agency


Table of Contents 24 · What the EO Means for the Cloud Cybersecurity and the Cloud Details

3 · Executive Summary

4 · At a Glance: Government Cybersecurity Nationwide

27 · How to Innovate in Cybersecurity (or Anything Else)

7 · The Zero Trust Security Capabilities Your Agency Needs

28 · What the EO Means for Zero Trust Cybersecurity Cybersecurity and Zero Trust

11 · 3 First Steps Towards Adopting Zero Trust

31 · Simplifying Your Agency’s Cybersecurity in 3 Steps

12 · The Cybersecurity Executive Order: Your Questions Answered

32 · How CISA is Leading the Way on the Cybersecurity EO

13 · What the EO Means for People Cybersecurity and Workforce Details

35 · How to Mature Your Agency’s Cybersecurity

15 · 3 Reasons to Leverage LiFi at Your Agency

36 · How the EO Could Mature State and Local Cybersecurity

16 · What the EO Means for Processes

Cybersecurity and Workflow Details

39 · How to Climb Your Agency’s Cybersecurity Mountain

19 · How to Create a Zero Trust Security Culture

40 · EO-Ready Best Practices for Cybersecurity

20 · What the EO Means for Data Cybersecurity and Information Details

45 · Securing Your Agency’s Future With Zero Trust Security

23 · 3 Ways to Continuously Progress on Security

2

Security Posture Details

46 · Conclusion

A GovLoop Guide


Executive Summary Like no time before, cybersecurity is a national

incidents. Lastly, these agencies will modernize

In 2021 alone, America has suffered massive

using tools such as cloud computing, data

problem demanding a national response. disruptions to some of its gas pipelines, meatpacking plants and more.

Now, constituents nationwide wonder which

their operational and informational technology encryption and zero trust cybersecurity.

Collectively, these actions can make any

agency more resilient against cyberthreats.

part of their lives may be disrupted next.

If your agency needs help unpacking the EO

cyberthreats interrupting their business.

best practices, statistics and thought leader

Private-sector companies are worried about Perhaps worst of all, agencies at every level

are unsure they can protect sensitive data and serve the public effectively. Across the United States, the time is ripe for a cybersecurity transformation.

Enter America’s most sweeping cybersecurity policy yet. In May 2021, President Joe Biden issued an executive order (EO) aimed

at strengthening every part of national

cybersecurity. Federal agencies will lead the

charge, changing their people, processes and technology in ways that their state and local peers will likely replicate.

and what it means, this guide can help. The interviews we share can quickly align your agency with Biden’s cybersecurity EO. This resource will:

• Explore the latest anecdotes, data,

developments and quotes to understand government cybersecurity nationwide

• Analyze the EO’s impact on five key areas: the cloud, data, people, processes and zero trust cybersecurity

• Share insights from major federal, state and local thought leaders that can improve your agency’s cybersecurity

Although rank-and-file employees may not

feel the impact of these changes immediately

or have a direct role in carrying out all the EO’s

• Provide tips for making your agency’s

mission closely fit the cybersecurity EO

requirements, there are trickle-down effects. No

The old way of practicing cybersecurity is not

EO pushes for stronger individual and collective

their cyberdefenses. Here is how the new EO

matter your role or your agency’s mission, the

working, so agencies should rapidly modernize

cybersecurity overall.

brings government cybersecurity into the future.

For instance, federal employees will strive to

share more information about cybersecurity risks, threat intelligence and mitigation

with their public-and private-sector peers. Federal agencies will also try to improve

their processes for detecting, preventing,

responding to and logging cybersecurity Unpacking the President’s Cybersecurity Executive Order

3


At a Glance: Government Cybersecurity Nationwide 7 Cybersecurity Terms to Know The following terms are vital to understanding today’s public-sector cybersecurity landscape.

1. Advanced persistent threats (APTs): APTs

from email to social media. Although

unauthorized access to computer networks

people by using realistic deceptions.

are cyberthreats that allow bad actors to gain and then avoid detection for long periods of time using stealth. While typically linked to

nation-states, APTs can be any cybercriminals who conduct large-scale intrusions. APTs can

cause serious economic, political and national security damage, making them one of today’s biggest cyberthreats.

2. Endpoints: Endpoints are the various devices — such as laptops and mobile phones — that can connect to IT networks. As the number of

endpoints increases, cybersecurity becomes more difficult for agencies. Endpoint

cybersecurity will only grow more important as remote work’s popularity explodes.

3. Malware: Malware refers to any malicious

software that is created for purposely harming computers, networks and IT. Any software that unintentionally damages these technologies is usually called a bug, glitch or vulnerability.

Malware also comes in many forms, ranging from computer viruses to ransomware.

common, phishing works because it victimizes

5. Ransomware: Ransomware threatens to block access to or leak a victim’s sensitive

data unless a ransom is paid. Increasingly prevalent, this malware can also upend

agencies’ operations. Experts often caution

against paying ransomware ransoms, as this money can fund additional cybercrime.

6. Social engineering: Social engineering

occurs when cybercriminals psychologically manipulate people into performing actions such as revealing confidential information.

At agencies, social engineering can interrupt operations, damage public trust or cost

money. Social engineering can come from

any hostile source inside or outside an agency.

7. Zero trust: Zero trust is a cybersecurity

model designed to automatically distrust every device, user or other entity on an IT network. These entities can access

agencies’ resources only after having their identities verified. Zero trust cybersecurity

4. Phishing: Phishing involves attackers

thus covers everything inside and outside

sending fake messages that trick victims into

a network’s perimeter; this philosophy also

malware on their computers. In recent years,

systems and assets.

revealing sensitive information or installing

helps agencies continuously monitor their IT

cybercriminals have phished using everything

4

A GovLoop Guide


Federal Cybersecurity Spending The Biden administration’s federal budget for fiscal 2022 contained many items suggesting cybersecurity may become a bigger national priority going forward.

$9.8 billion

the projected amount of funding for securing federal civilian networks, protecting national infrastructure and supporting information-sharing efforts. The money would also fund

related standards and best practices between the federal government, critical infrastructure partners and American businesses in fiscal 2022. Source: The White House

$750 million

the projected amount of funding for agencies affected by recent significant cybersecurity incidents to address exigent gaps in their security capabilities in fiscal 2022.

Source: The White House

Federal IT Spending IT spending relates to cybersecurity as it illustrates the scope of the networks that agencies might have to defend.

$97.1 billion

the projected amount of total federal IT spending in fiscal 2022, up from $92.9 billion in

fiscal 2021.

Source: Federal IT Dashboard

$25.6 billion

the projected amount of the above total that will go toward major IT investments, vs $71.5 billion that will go toward minor IT investments.

Source: Federal IT Dashboard

Unpacking the President’s Cybersecurity Executive Order


Accelerate Transformation To meet the variety of missions you encounter every day, you need responsive IT. Dell Technologies offers federal agencies the technology expertise, end-to-end solutions and world-class service you need to be prepared for what comes next. DellTechnologies.com/Federal

6

A GovLoop Guide


Industry Perspective

The Zero Trust Security Capabilities Your Agency Needs An interview with Cameron Chehreh, Chief Technology Officer and Vice President, Presales Engineering, Dell Technologies

As good as it sounds, zero trust security will be too big a lift if agencies rely on manual processes.

The federal government’s latest cybersecurity

executive order (EO) pushes agencies to adopt this strategy, which requires them to apply security

controls every time users or devices attempt to

access resources, not just at network perimeters. But how can agencies from the top down wield

zero trust security without being weighed down by manual workflows?

One potential answer is by provisioning and

managing IT infrastructure through software — an approach known as infrastructure as code (IaC). “We firmly believe that infrastructure as code is

the most powerful thing you can leverage to get a zero trust reality in today’s world,” said Cameron Chehreh, Chief Technology Officer and Vice

President, Presales Engineering at Dell Technologies, a computer hardware and software provider.

Chehreh shared three zero trust security capabilities that IaC can unlock for agencies:

1. Analytical visibility

2. Automated security Automation happens when machines perform

simple, manual tasks with little to no human input. When security basics like patching software are

automated, the result is budgetary and labor savings for agencies. Freed from such routines, public-sector employees can pursue more complicated — and

fulfilling — tasks for their agencies. The outcome is a win for everyone involved.

“Automation is critical for staying ahead of the adversary,” Chehreh said.

3. Orchestration Why is automation so powerful? Ultimately, the

reason is orchestration. Orchestration automates computer system and software configuration,

coordination and management, making it crucial for applying zero trust security principles quickly and easily.

Take least-privilege access, a zero-trust security tenet that states that people need only the bare

minimum of assets to accomplish their jobs. Through orchestration, agencies can rapidly apply this

Analytics involves systematically studying data and

statistics with computers. Without this, agencies may

remain in the dark about their security. Subsequently, visualizing their security analytics can help agencies properly understand and address the risks facing their sensitive assets.

For example, analytics can help agencies see where

cyberattacks are happening so their employees can

monitor potential threats in those areas more closely. “We can make better-informed decisions about how to protect our data and applications,” Chehreh said.

strategy agencywide.

“Orchestration allows you to make these kinds of decisions so you can do the most with the finite resources you have,” Chehreh said.

Effortlessly applying traits such as analytical visibility, automation and orchestration to zero trust security may seem impossible, but IaC can make the

intangible tangible. Using IaC platforms like the one

Dell Technologies provides, agencies can accomplish all their zero trust security goals in one place.

“I can use a simple suite of tools for my entire zero trust security posture,” Chehreh said.

Unpacking the President’s Cybersecurity Executive Order

7


The Technology Modernization Fund The Technology Modernization Fund (TMF) is a pool of funding loaned in installments to federal agencies for technology modernization projects like cybersecurity initiatives.

$1 billion

the funds Congress provided to the TMF for modernization efforts — including cybersecurity — as part of the American Rescue Plan. Signed into law on March 11, 2021, the $1.9 trillion bill aims to stimulate the economy in response to the COVID-19 pandemic. Source: General Services Administration (GSA)

4

the number of top priority categories available for potential TMF proposals. In May 2021, cybersecurity was listed alongside modernizing high-priority systems, public-facing

digital services, and cross-government services and infrastructure as top priority proposal categories.

Source: GSA

State Government Cybersecurity State agencies often have more budget dollars and employees than their local peers, but fewer of these resources than their federal equivalents.

No. 1

the ranking state chief information officers (CIOs) assigned to cybersecurity and risk management when asked to rate their top 10 priorities for 2021.

Source: National Association of State Chief Information Officers (NASCIO)

8

the number of consecutive years state CIOs ranked cybersecurity and risk management first among their top 10 priorities as of January 2021. Source: NASCIO

8

A GovLoop Guide


StateRAMP StateRAMP is a nonprofit organization that certifies cloud solutions that meet basic cybersecurity standards for holding state and local data. The group is modeled after the Federal Risk and

Authorization Management Program (FedRAMP), which determines if cloud solutions meet certain security requirements for storing federal data.

January 2021

StateRAMP launched after being conceived in February 2020.

Source: StateRAMP

April 2021

StateRAMP membership officially opened to state and local government officials and cloud providers.

Source: StateRAMP

State Cybersecurity and IT Modernization Rankings The Internet Association’s (IA) State, Local, Tribal, and Territorial Information Technology Advancing Reform Achievements (SITARA) scorecard rates states’ cybersecurity preparedness and IT modernization strategies.

0

states achieved “exceptional” or “excellent” ratings for either their cybersecurity preparedness or IT modernization plans in 2020. The SITARA scorecard’s other rankings are “very good,” “good,” “baseline,” “getting started” and “needs help.” Source: IA

3

states scored “very good” on their cybersecurity preparedness and IT modernization plans in 2020: California, Florida and Minnesota. Source: IA

Unpacking the President’s Cybersecurity Executive Order

9


CYBER THREATS DON’T REST, AND NEITHER DO WE. With over 20 years of experience working in the most secure government and corporate environments, Sterling’s highly certified security and network engineers are your go-to experts for cyber readiness. Protect, prepare, recover.

Take our Cyber Security Assessment Today at:

STERLING.COM/CYBERSECURITY/

connect@sterling.com

10

877.242.4074

www.sterling.com A GovLoop Guide


Industry Perspective

3 First Steps Toward Adopting Zero Trust An interview with Michael Phetteplace, Director of Cybersecurity, Sterling

The Biden administration’s recent executive order

(EO) on cybersecurity has put zero trust security at the top of the agenda.

By directing federal agencies to develop plans for adopting zero trust security for network

architectures, the EO makes a strong case for why state and local agencies should follow suit.

“Zero trust security is about eliminating our bad habit of allowing implicit trust in our

systems,” said Michael Phetteplace, Director of

Cybersecurity at Sterling, an IT solutions provider. “In the past, everyone took for granted that

perimeters were secure and wouldn’t be breached. Now, everyone needs to understand that breaches

can improve IT systems’ overall security by dividing them into sections based on security needs. “Agencies need to take a fresh look at their

environments,” Phetteplace said. “Assets that don’t need to communicate with one another shouldn’t be granted the ability to do so.”

Network segmentation can also keep cybersecurity incidents from paralyzing agencies. Take data breaches. During security incidents, network

segmentation can keep cybercriminals from venturing deeper into agencies’ data.

3. Encrypt data Data encryption is the act of converting information

are inevitable and plan accordingly.”

into a format that, ideally, only authorized parties can

Phetteplace shared three important steps that can

information, such as Social Security numbers, about

help agencies start implementing the directive to adopt zero trust security:

1. Adopt multi-factor authentication Multifactor authentication (MFA) improves

the security of the user verification and login

process. The traditional username and password

combination is augmented with additional factors that are not as easily compromised, such as

hardware or software tokens, SMS passcodes

or fingerprints. Once verified, users can access resources like data or networks.

“Multifactor authentication has become a

fundamental security requirement,” Phetteplace

said. “It is the first line of defense against credential compromise.”

Using MFA, agencies can increase the likelihood

decipher. Government employees protect sensitive the public they serve so data encryption can help prevent painful cybersecurity incidents.

“If attackers get access to data, it is of little use

to them if it is properly encrypted,” Phetteplace

said. “Also, have we secured encryption keys and

mechanisms properly? We need to ensure we don’t

provide bad actors the capability to decrypt our data.” Companies like Sterling can give agencies the

building blocks they need to implement zero trust security agencywide – whether it is from users to networks to data centers or to the cloud. In

addition, Sterling provides solutions that automate

cybersecurity processes for agencies using artificial intelligence (AI) and machine learning, gathering and processing threat intelligence from multiple sources at machine speed.

that their users are who they say they are. After all,

Over time, the more that agencies embrace the EO’s

evidence factors.

focus on scoring mission wins.

it is harder for cybercriminals to obtain multiple

message, the more public-sector employees can

2. Segment networks Network segmentation is another cornerstone of zero trust security. Using network segmentation, agencies

Unpacking the President’s Cybersecurity Executive Order

11


The Cybersecurity Executive Order: Your Questions Answered

Securing technology is not only crucial for governments – it is equally imperative for the private sector and the public. Cybersecurity is now a concern that affects every aspect of our lives.

Currently, the United States faces a continuously evolving landscape of persistent and increasingly sophisticated threats. Lone cybercriminals can cause as much damage as hostile nations. The resulting minefield has too many hazards for agencies to defuse all at once.

But the Biden administration’s EO could mark a turning point in government cybersecurity. In years past, agencies from the top down would often make incremental cybersecurity improvements at

best. Going forward, federal agencies may instead make significant investments based on the EO. Gradually, these upgrades could inspire similar moves at state and local agencies.

Ultimately, Biden’s EO could transform how the public sector’s people, processes and technology strengthen cybersecurity. With people, the emphasis will be on information-

sharing, risk management and threat intelligence. For processes, tomorrow’s strategies will gravitate toward capabilities sush as cybersecurity response and recovery. And with technology, agencies will likely use tools such as the cloud more often.

The five breakdowns below dissect the cybersecurity EO’s main components. Each section answers four questions to gauge the impact on federal, state and local agencies. 12

A GovLoop Guide


What the EO Means for People Cybersecurity and Workforce Details Cybersecurity is a team sport, and the best

sector cybersecurity and software suppliers.

information with one another. For instance,

accurately reflect the national identity.

defense occurs when the players all share America’s cybersecurity depends on

This diversity ensures the board’s suggestions

constituents, government employees and

2. How will the EO change how agencies buy software?

this unity, the United States is vulnerable to any

For too long, agencies have relied on software

private-sector workers cooperating. Without cyberthreat.

that reached the market with serious

The EO strives to connect communities across all walks of life. Though the focus is on federal employees, the EO may eventually reach

businesses, state and local agencies and

their respective customers too. The goal is an

America where the public and private sectors

actively trade knowledge about cybersecurity risks, threat intelligence and mitigation.

1. Who will help agencies after future cyberattacks? The EO marks the debut of the Cyber

Safety Review Board. Much like the National

Transportation Safety Board analyzes airplane crashes and other transit mishaps, the

Cyber Safety Review Board will investigate cybersecurity incidents after they occur. After each examination, the board will

recommend potential improvements to national

vulnerabilities. Fixing these flaws is expensive and time-consuming, and many products present

agencies with hidden security risks. Using these

weaknesses, cybercriminals can penetrate both public-and private-sector IT networks.

The new cybersecurity EO takes several steps to correct this problem. First, it establishes baseline security standards – such as

making security data publicly available – for developing federal software. Second, the EO

creates a public-private process for developing innovative approaches to secure software

development. Lastly, it launches a pilot program to label software that was developed securely. The program’s “Energy Star” labels will assist agencies, businesses and the public with

quickly gauging which software best meets their cybersecurity needs.

cybersecurity. Over time, the group hopes to

3. How will the EO alter public-private partnerships?

from past mistakes.

When it comes to threat intelligence, many

enhance the nation’s cyberdefenses by learning How will the board work? The answer is pairing federal and private-sector co-chairs. The

Homeland Security Department secretary will convene the Board after significant incidents. Federal representatives will include civilian,

military and intelligence agencies. The secretary will also select representatives from private-

barriers exist between public-and private-sector

workforces. After cyberattacks, many IT providers are reluctant to reveal embarrassing details

about their security practices; these companies

may also have contractual obligations with their clients that prevent them from disclosing details about a cybersecurity incident.

Unpacking the President’s Cybersecurity Executive Order

13


We Petal Technology.

Technology solutions you’re going to be

Wild about!

Wildflower is honored to serve the United States Federal Government, including its National Laboratories, doing so for three decades. We have long-term experience delivering complex technologies and services with a proven record of consistent, successful accomplishments. Our program and supply chain methodologies are a commitment to delivering the highest quality products, service, and support for customers in the public sector.

Contracts We Serve:

Solutions:

Services:

Certifications:

Army ITES SEWP-V SCMC GSA DOE-Motorola-ICPT First Source II

Data Centers Communications Security & Cyber Security Cloud Solutions IT Hardware Unmanned Aerial System

Artificial Intelligence Cloud Managed Services Warehouse & Logistics VAR

FAA 107 Pilots ISO 9001:2015 FOCI Q Clearance L Clearance HubZone Small Business Woman Owned Minority Owned

First Source II

wildflowerintl.com / (505) 466-9111 / information@wildflowerintl.com 14

A GovLoop Guide


Industry Perspective

3 Reasons to Leverage LiFi at Your Agency

An interview with Fernando DeLosReyes, Solutions Architect Manager, Wildflower International Sometimes, too many people want the same thing.

“Setting LiFi up is incredibly easy,” DeLosReyes

wireless networking technology – which uses radio

this technology.”

Take WiFi. For years, agencies have relied on this

waves – to exchange data between digital devices. But now, the radio frequency (RF) spectrum is

getting crowded. And although new parts of the RF spectrum, such as the 6 GHz spectrum, are becoming available, every day more devices

connect to the network and add to the congestion. For agencies, the result can be slower and less

said. “We can go anywhere in the world and use

2. Reduce interference Radio waves are vulnerable to interference from common devices such as baby monitors, cell phones and microwaves. Furthermore, WiFi is

often unreliable in areas like airports and hospitals because of RF congestion.

reliable communications. Even worse, the data

LiFi avoids these pitfalls because fewer devices rely

from security threats like signal jamming.

boasts the potential for higher connectivity than

involved in these communications faces more risk Enter LiFi. LiFi is a wireless technology that uses

cones of light to exchange data rather than radio waves. With LiFi, agencies can communicate

not only faster and more consistently, but more securely, too.

“There is a limit to the RF spectrum,” said Fernando DeLosReyes, Solutions Architect Manager at

Wildflower International, an IT solutions provider. “LiFi can reduce the RF footprint.”

DeLosReyes discussed three benefits that adopting

on light waves. Even better, LiFi’s lighting not only

WiFi’s radio waves, but provides higher security, too. That’s because cones of light are easier to contain in enclosed spaces than radio waves.

3. Strengthen security Speaking of security, LiFi is free of many of the

potential vulnerabilities plaguing WiFi. For instance,

data transfers involving WiFi are easier to detect and

interfere with than their LiFi counterparts. All agencies

handle sensitive citizen data, so this reality can cause major security problems for their workforces.

LiFi can provide to agencies:

“Security is paramount to agencies’ security and

1. Lighten workloads

emerged as a very compelling wireless technology.”

our national security,” DeLosReyes said. “LiFi has

WiFi requires antennas, access points and receivers to operate, so installing access points can become difficult and time-consuming for agencies. For

instance, establishing WiFi in a tactical environment involving tents for a military unit may take many labor hours and running networking cables.

Ultimately, LiFi solutions like those Wildflower

provides can help agencies see their data exchange and security in a new light.

“We’re bringing what is coming around the corner to our customers,” DeLosReyes said.

Additionally, mounting, securing and managing

these WiFi networks can become more complicated as the number of access points grows.

LiFi can reduce most of this clutter. Typically, LiFi installations require only one cable for both the

technology’s light and networking capabilities. As a

result, agencies spend less energy, money and time establishing LiFi than they would WiFi.

Unpacking the President’s Cybersecurity Executive Order

15


The cybersecurity EO strives to remove many of these obstacles. It eliminates many of

the contractual restraints that businesses

currently have when reporting incident and

threat intelligence to agencies such as the FBI

What the EO Means for Processes Cybersecurity and Workflow Details

that investigate and remediate cybersecurity problems. The EO additionally requires IT

providers to share details about breaches that could affect government networks. Together, these actions streamline the

communication among everyone involved in national cybersecurity.

4. What does the EO mean for state and local agencies? The EO could give state and local agencies

more cybersecurity resources. Take the Cyber

Agencies should not overlook the benefits of

modernizing their cybersecurity processes. Take automation, which can perform simple, manual tasks with little to no human input. Automating tasks like patching software vulnerabilities

reduces workloads for government employees while performing some of their responsibilities

faster. At their best, quality workflows like these can make agencies more capable of serving the public and earning mission wins.

Safety Review Board. After noteworthy attacks,

Take the advantages healthy cybersecurity

safer from cyberthreats.

these workflows can make employees more

A nationwide labeling system could also make

disaster strikes, these workers have processes

the board could make state and local agencies

state and local agencies more informed about the security of the software products and

services they purchase. By procuring higher-

rated tools, agencies of every stripe may reduce or even avoid painful cybersecurity experiences. Potentially, the EO’s largest benefit is connecting the private sector and state and local agencies. Private-sector insights could help state and local agencies find, stop and recover from

potential threats. For instance, companies could notify state and local governments when they have suffered a breach that may harm their constituents and employees.

processes offer agencies’ workforces. Internally, prepared for cybersecurity incidents. When that are faster, more flexible and more

collaborative. As a result teams are not only

more capable of handling cyberattacks, they are more resilient too.

Robust cybersecurity processes can also

benefit the public. Once implemented, clear

workflows can provide more accountability and

transparency about cybersecurity to constituents.

1. Is there a standard response for cyberattacks? Agencies cannot wait until their technology is compromised to decide how their workforces

will respond. Recently, countless cyberattacks

have demonstrated that cybersecurity maturity varies wildly across every category of agency.

The cybersecurity EO will help overcome these pitfalls by creating a standard playbook for responding to cybersecurity incidents. This

playbook will provide agencies with a common 16


set of cybersecurity terms. The document

EDR programs strive to make organizations

should take when identifying and stopping

cybersecurity. The goal is to construct processes

also recommends concrete steps agencies cybersecurity threats. The playbook will declare which National Institute of Standards and

Technology (NIST) cybersecurity standards agencies must follow. Once all the federal

proactive, rather than reactive, about

for active cyberthreat hunting, containment,

remediation and incident response at federal agencies.

agencies are on the same page about

4. How will the EO touch state and local cybersecurity processes?

and the private sector follow suit.

Frequently, starting from scratch is the hardest

cybersecurity, the hope is that other agencies

2. How does the EO change how agencies log cybersecurity events? The information from network and system logs can assist agencies with investigating and

remediating cybersecurity incidents. But some agencies do not properly log this information, making it more difficult to detect intrusions,

mitigate ongoing breaches and determine the

damage from an attack. Without these insights,

agencies may not know the security of the data they are storing on premises or with third-party vendors like cloud providers.

To tackle this challenge, the cybersecurity EO

will set requirements for logging and protecting incident details. These policies will cover

everything from how long to retain logs to how to

safekeep the information they contain. Eventually, the EO’s policies will ensure that security teams

part of establishing routines. Fortunately, the

EO explains how federal agencies will set the

standard that state and local agencies can use for their own cybersecurity processes.

Consider the federal playbook for engaging

with cybersecurity events. By giving state and local agencies an example to emulate, the

playbook reduces the amount of time they

might spend drafting their own documents.

State and local agencies typically have smaller budgets and workforces than their federal

counterparts, so any advantage counts when dealing with cyberthreats.

The same principle applies to other

cybersecurity processes such as event-logging

and EDR guidelines. By standardizing the tactics federal agencies use, the EO may prompt

similar activities at state and local agencies.

have centralized access and visibility into every cybersecurity incident log at their agencies.

3. How should agencies approach cybersecurity next? Contact sports need rules, and cybersecurity is

no exception. To that end, Biden’s EO will outline the federal government’s Endpoint Detection and Response (EDR) initiative. Like other EDR

strategies, the federal version will continually monitor endpoint data to find and stop the cyberthreats menacing these devices.

17


Innovate, Grow, Know with ThunderCat Technology and Dell Technologies

CLOUD ANALYTICS SECURITY INFRASTRUCTURE 18

Guide T H U N DAEGovLoop R C AT TECH.COM


Industry Perspective

How to Create a Zero Trust Security Culture

An interview with Justin Robinson, Chief Technology Officer of Cyber and Analytics, ThunderCat Technology Government cybersecurity is like dieting. Publicsector employees know that protecting their

agency’s data and other assets is healthy but

making strong cyber hygiene stick agencywide is easier said than done.

After all, many agencies could improve how their

teams collaborate on cybersecurity. More importantly, these agencies could phase out perimeter-based

security. Too often, threats have emerged from both

inside and outside agencies’ perimeters, proving that this is not the optimal approach.

Enter zero trust security. Unlike perimeter-based security, zero trust automatically assumes that

every entity on agencies’ networks is untrustworthy. By continuously monitoring risks in this way,

2. Start small Robinson also cautioned agencies against

immediately implementing zero trust security

agencywide. Instead, he urges them to apply zero

trust principles to narrow parts of their operations. “Don’t roll out new applications or services and give

them authority to operate without first running them through a zero-trust exercise,” Robinson said.

For instance, least-privilege access is the idea

that employees should receive only the minimum amount of access to the resources their roles

require. To try zero trust security, an agency could

practice least-privilege access with one application rather than the entire organization.

agencies can cultivate a thriving security culture.

3. Boost teamwork

“Zero trust is not a tool or product,” said Justin

For too long, many network and security teams

and Analytics at ThunderCat Technology, an IT

security. To succeed, zero trust security needs to

Robinson, Chief Technology Officer (CTO) at Cyber solutions provider. “It is something that has to be inherent in day-to-day IT operations.”

have worked alone while defending their agencies’ upend this model.

“Zero trust security requires a culture within the

Robinson listed three steps agencies can take to make

organization where the collaboration is open,”

zero trust security habitual within their workforces:

Robinson said.

1. Take stock of current security tools

Beyond people and processes, zero trust security

Different agencies have different needs and

different security stacks. Security stacks contain

all the tools in an agency’s security inventory, so

accurately understanding these toolsets is crucial for zero trust security.

“Every organization has gaps based on their maturity level,” Robinson said of security stack assessments.

Once an agency understands its stacks, employees can add features like continuous monitoring that

anchor zero trust security. Continuous monitoring constantly evaluates agencies’ resources for potential security risks in real time.

additionally demands that agencies change their technology. Fortunately, IT solutions like those

ThunderCat Technology provides can give agencies

capabilities like real-time situational awareness that altering their workforces and workflows cannot. With guidance from ThunderCat Technology, agencies can create zero trust security architectures that

optimize the capabilities they have while plugging their gaps.

“It’s not about starting with your entire environment, every application you’re running, the network and

workloads,” Robinson said. “You can start to move

towards zero trust instead of boiling the entire ocean.”

Unpacking the President’s Cybersecurity Executive Order

19


What the EO Means for Data Cybersecurity and Information Details

Agencies must walk a delicate tightrope when

past, unencrypted data facilitated many

sensitive information like health care details

for cybercriminals. With the federal government

handling data. On the one hand, data contains that constituents expect agencies to keep

private. On the other hand, securing this data cannot be so complicated that it slows down government employees.

balancing both concerns hard for agencies.

Data attracts cybercriminals, as they can often

profit off personally identifiable information (PII) such as Social Security numbers quickly and

easily. Nation-states are even more concerning:

The data hostile governments steal can hurt U.S. national security.

these fears by mixing modern tools with fresh perspectives on handling data. Implemented correctly, Biden’s cybersecurity EO can assist agencies with guarding one of their most

Agencies should make accessing their data as hard as possible, and encryption helps them

do exactly that. Encryption translates data into another form that can be unlocked only with a decryption key such as a password. Because

encrypted data can be deciphered only with the right tools, only the correct people can typically

20

Much like encryption, multifactor authentication (MFA) can make a difference with data security. MFA grants users access to resources such as

data only after they have presented two or more pieces of evidence verifying their identities.

These identity factors include something only individual knows (their address) or something unique to the individual (their fingerprint).

The EO stipulates that all federal agencies must deploy MFA. From the top down, this

preventing unauthorized access to their data

1. How will agencies need to protect their data differently?

for their resting and in-transit data. In the

they have not already.

cybersecurity tool can assist agencies with

precious resources.

all federal agencies embrace encryption

agencies may also adopt encryption soon, if

the individual has (a key), something only the

The federal government hopes to soothe

Biden’s cybersecurity EO mandates that

leading by example, scores of state and local

2. How will government employees need to handle data differently?

The reality is that cybercriminals make

access this information.

cyberattacks, so this rule could erase this option

and other assets.

3. How will agencies need to rethink their data practices? Biden’s EO demands that federal civilian

executive branch (FCEB) agencies understand their high-value data assets. Rather than treat all their data the same, the EO tasks

these agencies with evaluating which types of unclassified data they have and how sensitive each type is.

These evaluations will help FCEB agencies

identify which unclassified data types are the most sensitive, and which varieties are under A GovLoop Guide


the greatest threat from cybercriminals. More importantly, these analyses will decide the most appropriate processing and storage solutions for each FCEB agency’s information.

Although the EO’s details about unclassified data apply only to FCEB agencies, this data security philosophy can benefit any agency.

4. How can the EO assist state and local agencies with data security? The best federal data security practices can also pay off for state and local agencies. Although the

latest cybersecurity EO does not require state and local governments to implement its data security policies, these that do will benefit.

Look at encryption. Encryption is a simple step any agency can take to make its data harder for cybercriminals to exploit. MFA, meanwhile, can put guardrails between sensitive information and the people who are not supposed to interact with it. Additionally, determining how sensitive their data is — and what risks it faces — can make cybersecurity easier for any government.


The quest to protect your organization requires always-on full content indexing and rapid recovery. With machine learning capabilities and more, the Dell Technologies Cyber Recovery solution is able to act quickly to recover important data. Post-attack forensic are also able to quickly identify the attack vector.

22

A GovLoop Guide


Industry Perspective

3 Ways to Continuously Progress on Security

An interview with Tad Northcott, Plan Executive, Navy and Marine Corps; Dave Deppisch, Market Leader, Navy, Marine Corps, Air Force and the Defense Information Systems Agency; and Glenn Jensen, Software Account Executive, Insight Public Sector When it comes to security, agencies are used to doing more with less. Not only can budget

constraints limit options, but priorities can shift and talent can grow scarce. No matter the obstacle, even one roadblock can impede meaningful security advancements.

But what happens when today’s cyberthreats evolve

and agencies cannot keep up? Too often, the result is a costly and humiliating security incident. To prevent this, agencies need the ability to continuously refine their security capabilities and defenses.

“The bad guys never stop,” said Glenn Jensen, Software Account Executive at Insight Public

2. Leverage continuous monitoring Continuous monitoring is a vital component of

zero trust security because it detects changes to

agencies’ IT environments in real time. Whether it

is an emerging threat, vulnerability or compliance

issue, continuous monitoring makes sure agencies

are always informed about their security landscapes. “Annually, lots of agencies scramble to prepare for

cybersecurity inspections,” said Tad Northcott, Plan

Executive, Navy and Marine Corps. “With continuous monitoring, they’d know where they are before an annual review.”

Sector, a business-to-business and IT solutions

3. Add multifactor authentication

progress and improve.”

that agencies are increasingly leaning on for their

provider. “Cybersecurity requires us to continually The Insight Public Sector team shared three steps agencies can take to keep their security ready for anything:

1. Assess security capabilities Agencies frequently do not know the state of their

security personnel, processes and tools. By having

a trusted vendor assess their capabilities, agencies can pursue goals that elevate their overall security agencywide.

Multifactor authentication (MFA) is another tool

security needs. When users approach agencies’ sensitive data and other assets, MFA asks them for at least two pieces of proof to confirm their identities, such as a birthplace, fingerprint or something else.

All agencies have unique goals, but IT providers like

Insight can assist them by identifying their potential

security gaps. Insight can then provide agencies with specific tools — such as continuous monitoring and

MFA solutions — that can meet their mission demands.

“You can evaluate your current state and then move up the stairs to the state you want to get to,” said

Dave Deppisch, Market Leader, Navy, Marine Corps, Air Force and the Defense Information Systems

“What agencies have told us is that they want to leverage private-sector best practices,” Jensen said. “Our goal is to help them meet that need.”

Agency (DISA).

For instance, a vendor assessment can tell agencies how prepared their operations are for zero trust

security. Zero trust security involves distrusting all

computing entities, so agencies may need to ready

their devices, users and other assets before adopting such a dramatic shift in security strategies.

Unpacking the President’s Cybersecurity Executive Order

23


What the EO Means for the Cloud

Cybersecurity and the Cloud Details

Presently, cutting-edge cybersecurity often

Regardless of the cloud model involved, the EO

and securing legacy IT can prove costly, difficult

technology in its agencies’ futures.

features IT modernization because maintaining and risky.

reveals that the federal government sees the

2. How will future cloud adoptions work for agencies?

Yet that does not mean every agency

has adopted cloud computing. The cloud

Since 2011, the Federal Risk and Authorization

decentralizes IT infrastructure to deliver

computer resources such as data storage ondemand. Although this format gives agencies unparalleled flexibility and scalability, cloud

migrations can take more effort than agencies initially realize.

Management Program (FedRAMP) has authorized which cloud products and

services can host federal data. By leveraging

FedRAMP’s cloud security standards, the Biden administration made the program one of its cybersecurity EO’s biggest stars.

Recognizing this, Biden’s EO prods agencies to

use the cloud while acknowledging some may

do so partially or not at all. While the EO hopes to

accelerate public-sector cloud use, it also covers securing computer systems on premises, in the cloud or a hybrid of both models.

No. 1 among the EO’s FedRAMP priorities is

leveraging a governmentwide strategy for

federal cloud security. This strategy will try to

ensure that agencies broadly understand the risks from cloud-based services and how to effectively address them.

1. Will all agencies have to use the cloud? According to the cybersecurity EO, different

A technical reference documenting secure cloud architecture is another goal. Once

agencies are at different stages of cloud

implementation. Consequently, the document’s various cybersecurity details can apply to onpremises, cloud-based or hybrid IT.

released, this resource will illustrate

recommended approaches to cloud migration

and collecting, protecting and reporting on data for agencies.

But the EO is also clear that the federal

Lastly, the order tasks FedRAMP with identifying

adoption. The EO not only calls for faster federal

to agencies based on incident severity. This

government wants to speed up its overall cloud cloud migrations, it even lists three potential models for agencies.

the cloud services and protections available

framework will also list the data and processing activities associated with these services

First up are Software-as-a-Service (SaaS) clouds,

and protections.

which license centrally hosted software on a

Together, these steps ensure that agencies can

(IaaS) clouds decentralize IT infrastructure, while

with FedRAMP’s expertise.

subscription basis. Infrastructure-as-a-Service Platform-as-a-Service (PaaS) clouds do the

adopt cloud quickly, securely and intelligently

same for computing platforms hosting agencies’ desired applications. 24

A GovLoop Guide


3. How might the EO’s cloud details transform federal agencies’ work?

4. How could the EO morph state and local cloud security?

The better people understand the cloud, the

Where federal agencies go, state and local

to the cloud’s rising prominence within the

different, and many state and local governments

better the technology will benefit them. Due federal government, the new cybersecurity

EO takes steps to inform agencies’ employees about FedRAMP.

Chief among the cybersecurity EO’s FedRAMP education opportunities is a new federal

agencies will likely follow. The cloud is no

may copy their federal companions once they realize the technology’s benefits. Similarly,

the way federal agencies secure their cloud

products and services may become equally successful for state and local workforces.

training program. Once established, this

Beyond simply adopting cloud, state and local

trained and equipped to manage FedRAMP

data. But to host this desirable commodity,

initiative will ensure that federal employees are authorization requests. This learning opportunity will also include training materials and on-

demand videos that inform federal workers about FedRAMP’s role in securing cloud products and services.

agencies may also crave access to federal

state and local cloud environments may have

to comply with FedRAMP’s security benchmarks. Ultimately, the state and local agencies that

do not follow FedRAMP’s standards may miss powerful federal insights.

Someday, introducing FedRAMP tutorials to the

federal talent pool could prompt state and local agencies to craft their own versions.

25


LET’S MAKE

IMPOSSIBLE REAL Every business is at the edge of a new digital frontier. At Dell Technologies, we’re building the technology solutions to transform the impossible into reality. So you can go further than you ever imagined.

26 26DellTechnologies.com

A GovLoop Guide A GovLoop Guide


Industry Perspective

How to Innovate in Cybersecurity (or Anything Else) 5 Tips for Agile Operations Provided by Technology Integration Group

Nowadays, it is no secret the public sector needs more cybersecurity innovation. From the top

level down, agencies nationwide are endlessly

defending their resources from cyberthreats — and

cyberthreats are constantly reinventing themselves, so agencies must keep up.

Yet innovation is difficult without resilience.

Resilience is the ability to respond to, recover from and continuously function during disruptions;

without resilience, agencies may find innovation hard to reach.

Thankfully, agencies can rapidly acquire both

attributes by imitating the private sector. Take

2. Conduct analyses agencywide Innovation also requires gathering as much

information as possible about potential next steps.

Understanding their current operations, architecture life cycles and frameworks can not only assist

agencies with refining their business needs but help them model their future routines.

For instance, look at data storage. Currently, many agencies have legacy IT that they cannot easily

restore after cyberattacks. However, using cloud

computing, agencies can store backup copies of their data and become more resilient.

Technology Integration Group (TIG), an IT solutions

3. Build blueprints

methodology that can make agencies more

need roadmaps. For the best results, agencies should

provider. TIG’s “Start Right” philosophy is a business

All innovations, including the cybersecurity variety,

innovative and resilient.

measure how innovations might transform their

Here are five ways agencies can become resilient innovators, according to TIG:

financial impact of any changes, agencies can craft

1. Engage with challenges Before agencies innovate, they must clearly

understand their business needs. First, they must

decide how and what innovations may elevate their credibility and work. Next, these agencies must

determine which of their existing capabilities already contribute toward the potential innovations. Finally,

these agencies should craft proposals that capture each innovation’s impact.

Take data encryption, which converts data into

a form that, ideally, only authorized parties can

decipher. Agencies handle sensitive data about

citizens, so protecting this information is vital for preserving public trust. Agencies without data

encryption can start applying it by determining

which information is most critical and may need encryption first.

operations. By predicting the potential benefits and the best possible solutions for their workforces.

4. Make the case Innovators must articulate how the changes they

are proposing can take root at agencies and what investments they need to enact them. Without

these details, agencies may lack lasting innovation and resilience.

5. Implement effectively To optimize the benefits they reap from innovations, agencies must first determine the best way to

implement them. Ideally, implementations unfold

using roadmaps tailored to produce the maximum

number of advantages from the solutions involved. Innovation may seem difficult on paper, but

partners like TIG can demonstrate what consistent, simple innovation looks like. Over time, innovative agencies have the agility to stay resilient when cyberthreats come calling.

Unpacking the President’s Cybersecurity Executive Order

27


What the EO Means for Zero Trust Cybersecurity Cybersecurity and Zero Trust Security Posture Details

Biden’s cybersecurity EO may pinpoint the

For any government, this mentality hinges on the

a public-sector routine. The EO’s stipulation

to the newest intern — is instantly capable of

moment zero trust cybersecurity becomes

idea that no one – from the highest executive

that federal agencies construct zero-trust

cybersecurity architectures hints that state and local agencies will probably follow suit.

This posture nonetheless requires a radical

can remain static in an endlessly changing

agency. Unlike traditional cybersecurity, this

threat environment. Amid this chaos, the best

philosophy acknowledges that cyberthreats

can emerge either inside or outside a network’s perimeters. To deal with this paradigm, zero trust cybersecurity demands that agencies

continuously monitor their entire IT ecosystems for danger in real time. Most importantly, this

mindset assumes that every entity — whether it is a device, a user or something else — is

untrustworthy until its identity has been verified.

with the flow when it comes to new pitfalls. What makes zero trust cybersecurity so

dynamic? Continuously monitored data that

comes from multiple sources in real time. Zero trust cybersecurity involves constant scans of every piece of agencies’ IT infrastructure

to ensure that no strange activity slips past Zero trust cybersecurity can be rigorous work,

Zero trust cybersecurity erases automatic trust in computing entities. Whether these elements are applications, devices, services, users or

other options, nothing immediately receives the keys to an agency’s kingdom.

This mindset may seem unusual to government employees who are not familiar with least-

so agencies should consider automation a

part of their implementation process. This frees

humans for more complicated work by reducing their initial workloads.

3. Why does zero trust cybersecurity work if practiced properly? For decades, organizations assumed walling off

privilege access. Least-privilege access

permits access to only the bare minimum of the resources someone’s job requires. Zero

trust cybersecurity can thus prevent anyone from overstepping their bounds and causing

28

approach is dynamic cybersecurity that can go

undetected.

1. How could zero trust cybersecurity change employees’ routines?

security incidents.

2. How can zero trust upgrade how agencies perform cybersecurity? Zero trust ends the notion that cybersecurity

shift in security thinking for every type of

inside or outside a network’s perimeters

engaging with the organization’s assets.

their networks would be enough to halt potential cyberattacks. While useful, this approach didn’t account for cyberthreats that could bypass network perimeters or come from inside organizations themselves.

Zero trust cybersecurity views breaches as

inevitable, so it restricts computing entities A GovLoop Guide


from touching resources they do not need when possible. Gradually, this format allows agencies to

contain the damage from a compromise. This approach also establishes normal security patterns, forcing suspicious behavior to bubble up so agencies can block it sooner.

Zero trust cybersecurity can answer who, what, where, when, why and how agencies’ computing capabilities are being used.

4. Why should state and local agencies follow federal agencies’ lead on zero trust cybersecurity? State and local agencies often have fewer cyber defenses at their disposal than federal agencies. Many state and local agencies must do more with less on cybersecurity because of their smaller budgets and workforces.

Used correctly, zero trust cybersecurity can make many of these hurdles disappear. With the right training, any employee can practice zero trust cybersecurity effectively. Its status as a state of mind also makes

practicing it often cheaper than buying more cyber defenses.


Fed Tech

without the Friction Federal IT leaders are laser focused on the mission, and the technology needed to advance it. Procurement complexity, however, can slow progress to a crawl. Future Tech clears a path to faster innovation with its commitment to “Frictionless Procurement.” Offering IT solutions from more than 700 OEMs, including Dell Technologies, we’re a single source for your mission-critical technology requirements. We speed access through the latest GWAC contracts—including SEWP V and GSA. And, our ace Federal Acquisitions team is with you every step of

Learn more about how Future Tech and Dell Technologies can accelerate innovation in your agency.

Contact: Govops@ftei.com

the way, taking on the heavy lifting and executing flawlessly so you can focus on what matters most – the mission.

30

A GovLoop Guide


Industry Perspective

Simplifying Your Agency’s Cybersecurity in 3 Steps

An interview with Fred Hoffmann, Chief Information Officer, Future Tech Enterprise, Inc. The longer that agencies have depended on their

“When organizations do not have a comprehensive

these tools behind. The reason is simple: the more

silos, we see trouble,” Hoffmann said.

legacy technology, the harder it is for them to leave time that agencies invest in legacy technology, the more energy and money they spend on it, too.

But legacy technology is gradually making publicsector cybersecurity more challenging. Like walls that have weathered away, legacy technology is increasingly leaving agencies exposed to cyberthreats.

“When organizations have older versions of

software and databases and are relying on legacy solutions, the level of vulnerabilities is far more

view of their IT infrastructure, or make decisions in So, how can agencies reduce their cybersecurity silos? One option is making IT infrastructure evaluation and upgrade management comprehensive and holistic.

“This is the best way to minimize risk, optimize the value of your IT investments and facilitate any technology changes across an organization,” Hoffmann said.

3. Adopt artificial intelligence

extensive,” said Fred Hoffmann, Chief Information

Cloud computing’s decentralized infrastructure

solutions provider.

like data storage on demand. As such, modernizing

Officer (CIO) at Future Tech Enterprise, Inc., an IT

Hoffmann shared three moves agencies can make to help their people, processes and tools leave legacy

allows agencies to leverage computing resources IT often involves cloud adoption because of the technology’s flexibility.

technology in the past.

But securing clouds can prove difficult when

1. Act agencywide

IT, off-premise IT or a hybrid of both. Take cloud-

agencies construct environments using on-premise

When it comes to cybersecurity, Hoffmann

recommended that agencies start by making the topic a constant concern agencywide.

“Cybersecurity is not just an IT issue,” he said. “It is a

legal, human resources and risk management issue.” Take cybersecurity training. By consistently training

based data. The different IT systems involved with this information can make protecting it difficult.

Enter artificial intelligence (AI). AI mimics human

cognitive abilities such as reasoning, so it can lend agencies’ employees a hand with cybersecurity issues like defending cloud-based resources.

employees on cybersecurity agencywide, agencies

“Optimizing cloud security starts with heavy and

computing to their unique roles.

solutions, which are designed to provide rapid

can show workers how to apply modern IT like cloud

targeted investments in the latest AI-powered

detection and response to threats,” Hoffmann said.

2. Scrap silos Agencywide cybersecurity is important for another

reason – eliminating silos among teams. Not only are siloed agencies less prepared for cyberthreats, but

these agencies may also struggle with modernizing technology quickly, affordably and efficiently.

Providers like FTEI can help agencies map out

agencywide modernization journeys involving cutting-edge tools like AI.

“We always strive to be the easiest and most flexible partner for agencies to work with,” Hoffmann said.

Unpacking the President’s Cybersecurity Executive Order

31


How CISA is Leading the Way on the Cybersecurity EO Because cybersecurity is a team sport, the Cybersecurity and Infrastructure Security Agency (CISA) may be America’s coach. CISA is a federal agency responsible for elevating government cybersecurity nationwide. Whether the threat is a

cybercriminal or a hostile nation, CISA helps protect its federal, state and local

partners by improving cybersecurity coordination and defenses.

Naturally, Biden’s recent cybersecurity EO closely fits CISA’s mission. From sharing threat

intelligence to practicing zero trust cybersecurity, the EO outlines several key strategies CISA urges agencies to follow going forward.

GovLoop discussed CISA’s role in implementing the new cybersecurity EO with Deputy Executive Assistant Director for Cybersecurity Matt Hartman.

This interview has been lightly edited for brevity and clarity.

GOVLOOP: How is U.S. cybersecurity doing?

need to be in terms of cybersecurity, our

country needs sustained investments in both

HARTMAN: In terms of where we’re doing

well, the first thing that comes to mind is that

many, many, many years.

we are making our adversaries work harder

Recent events have again highlighted the

doing debasement, particularly in the

or solution can prevent an attack from a

MFA, encrypting data and rapidly patching

multiple layers of defense and security

by more consistently and more thoroughly

truth that no one security control, vendor

federal space. It is things like implementing

nation-state adversary. It is going to take

vulnerable systems.

measures to protect an organization. And

The challenge is that while we continue to

continue to represent a great challenge to

improve our defenses, shore up our cyber

hygiene and take advantage of some lowhanging fruit as a federal enterprise, our adversaries are becoming increasingly

even with all that in place, it is going to

keep sophisticated adversaries from gaining access to networks that represent strategic

interest to them, which is why one of the first

sophisticated and brazen. To get where we

32

cybersecurity and IT modernization over

principles of zero trust cybersecurity is to assume breach.

A GovLoop Guide


This is the reason the EO sets out these

tangible actions to raise the bar on the

federal government’s ability to detect and respond to cybersecurity incidents. The

shared end goal is to ensure that our critical infrastructure – which keeps our global

community working through thick and thin –

is a hard target for those who seek to disrupt it. And when that critical infrastructure is

disrupted, we are collectively able to limit the

impact to the functions that we as Americans rely on every day.

What cybersecurity best practices do you recommend for aligning with the EO? On the federal front, recent cyberthreat

campaigns continue to highlight that our federal networks are on the frontlines of

cyberattacks against our nation. This reality

makes it essential that we think of the federal government more as an enterprise. As part of this enterprise mentality, we can better

manage our collective risk. There is a need for greater visibility, increased shared services

How would you like to see the public and private sectors share threat intelligence based on the EO?

and more cost-effective capabilities.

For state and local governments, recent events have forced us as an entire U.S.

The private sector is increasingly uniquely

government to focus a tremendous amount

threats and vulnerabilities to our federal

ransomware attacks. To that end – and to

One of our primary roles at CISA – and the

cyberattacks – CISA recommends following

positioned to domestically identify key

of effort on combating the recent rise in

infrastructure and our nation’s infrastructure.

minimize the risk of ransomware and all

one we take most seriously – is to serve

three cybersecurity best practices.

as the hub for public-private informationsharing in a cybersecurity incident report. In this past year’s National Defense

Authorization Act, CISA was provided the authority and resources to stand up a

joint cybersecurity planning office to lead the development of and to coordinate

the execution of a whole-of-government – and whole-of-nation – cyber defense plan. It is integrating the capabilities of the U.S. government, the private sector

and our state, local, tribal, territorial and

international partners with the sole focus of

defensive cybersecurity planning. It is going to be extremely beneficial in enhancing

our ability to quickly develop a common

One, report your incident to CISA and law

enforcement. We are here to help, and if you call one of us, you call all of us.

Two, ensure your business operations can

remain operable in the event of a large-scale IT disruption. It is not only important to have business continuity and incident response plans in place, it is imperative to test your plans regularly.

Third, remember that almost all intrusions stem from weaknesses in internet-facing systems. If you can do one thing, assess

your posture and fix these external-facing vulnerabilities.

operating picture and provide rapid

assistance to both federal and non-federal organizations that have or may have been targeted by adversaries.

Unpacking the President’s Cybersecurity Executive Order

33


Equity Drives Impactful Technology Transformation Both technology and equity are centered around change. So what if technologists and the mission teams they support considered how a cloud solution or IT service enabled them to serve a diverse public equitably? Embrace change to get the best of what cloud and equity have to offer. Read the article to learn how Red River’s Chief Technology Officer and Design Engineering Manager explain how they oversee Red River’s technology strategy through an equity lens.

READ THE ARTICLE

TECHNOLOGY DECISIONS AREN’T BLACK AND WHITE. THINK RED. 34

A GovLoop Guide

REDRIVER.COM


Industry Perspective

How to Mature Your Agency’s Cybersecurity

An interview with Kevin Steeprow, Senior Vice President, Engineering, Red River Recently, most of the public sector has realized that

their cybersecurity practices have some growing up to do.

The COVID-19 pandemic prompted more

governments to work remotely than before, but

many found that they were not equipped to defend networks extending beyond their office walls. Thankfully, there is an answer for agencies.

Cybersecurity maturity measures how ready and

able agencies are to address their risks. During crises like viral pandemics, cybersecurity maturity can help agencies avoid painful disruptions.

But maturing agencies’ cybersecurity is easier said

than done. To reach maturity, today’s agencies must assess how their cybersecurity risks affect their people, processes and technology.

“Everyone knows what the end state is,” Kevin Steeprow, Senior Vice President, Engineering at Red River, a software provider, said about

cybersecurity maturity. “Unfortunately, there is no silver bullet or magic wand to get them there.”

Steeprow suggested three steps that agencies can

these discoveries can help agencies gradually strengthen their cybersecurity.

2. Start SOCs Security operations centers (SOCs) are centralized

units that handle organizational and technical issues. For cybersecurity, SOCs typically analyze, monitor and defend valuables like data.

“If you have a good SOC or a good partner providing SOC services, it can give you a proactive and

preventive look at what’s going on,” Steeprow said. By protecting cybersecurity in one place, SOCs can

remove many of the silos that sometimes separate agencies’ teams.

3. Embrace zero trust security Zero trust security dictates that agencies should never automatically trust the users, devices

and other computing entities on their networks.

Ultimately, making zero trust security second nature

at agencies lets them continuously monitor for – and then mitigate – potential cybersecurity threats.

“It is understanding what information you have and

take to increase their cybersecurity maturity:

who has access to it,” Steeprow said. “Just because

1. Take stock

you get the keys to the kingdom.”

Cybersecurity touches scores of agencies’

resources. Whether it is data, networks, users or

something else, agencies at every level have lots of ground to cover.

The truth is that understanding all these concerns

can be challenging. To chart a clear path, Steeprow recommended that agencies initially assess how their cybersecurity is performing agencywide.

“It is about what you have and what is most critical for you,” he said. “You don’t take on the elephant in one fell swoop.”

you’ve passed that original boundary doesn’t mean Cybersecurity maturity requires daily

improvements. The good news is that providers like Red River provide expertise about topics including

security assessments, SOCs and zero trust security to help agencies constantly raise the bar on their cybersecurity maturity and accomplish their unique goals.

“We want to help you be a Swiss Army knife,”

Steeprow said. “Let’s find the right tool for the right job.”

Security assessments can measure things like how many software vulnerabilities agencies have, and

Unpacking the President’s Cybersecurity Executive Order

35


How the EO Could Mature State and Local Cybersecurity Often, the federal government can seem like an older sibling to

state and local governments. The average federal agency has a

larger budget and staff than most state and local agencies; federal

organizations are also more likely to steer state and local agencies

Doug Robinson

Meredith Ward

down the trails they blaze.

Cybersecurity is no different, and the recent EO on this topic covers many moves federal agencies

are familiar with. Although the EO does not force any state or local governments to follow suit, they may want to mirror many of the document’s minutiae.

GovLoop spoke with NASCIO Executive Director Doug Robinson and Director of Policy & Research Meredith Ward about how Biden’s cybersecurity EO could make the public sector’s overall cybersecurity more mature.

The interview below has been lightly edited for brevity and clarity.

GOVLOOP: Where are state and local agencies struggling with cybersecurity?

we have today, the fact that across the

board – from elected to appointed officials,

particularly elected officials – cybersecurity

ROBINSON: Generally, the states are not

organized to succeed around cybersecurity. They don’t have enterprise governance

capabilities and disciplines in their

Their investments are not commensurate to

the risk. That is more problematic at the local

36

I look at this as a business problem that

needs to be articulated without this constant

organization to succeed in cybersecurity.

business risk. I think that’s part of the gap

an IT issue. “That’s the CIO’s problem – that’s now seen that come full bore.

By that I mean they don’t have the requisite

I think that cybersecurity is a significant

understood. They still want to think of this as an IT issue.” But it’s a business issue. We’ve

that’s strong.

government level.

is not embraced, cybersecurity is not well

fear. This is life in the digital age, and we need to become more mature in how we address

it. That’s the whole core of the EO, a whole set of directed actions that makes the federal

government mature and modern. State and local agencies are dealing with the same thing.

A GovLoop Guide


What effect might the EO have on state and local cybersecurity? WARD: State and local governments take a lot of direction from the federal government. What I think the EO can do is provide a model for state and local governments without having a mandate. I think it can help state and local governments with their own best practices. It’s always good to take an inventory of what they’re doing on a day-to-day basis and how that might improve.

Why is sharing threat intelligence important for agencies at every level?

because there’s a high degree of concern

about something like classified information. What happens is that by the time Arizona’s chief information security officer gets the

information, for example, it is not useful to them. It has got to be more than simple information-

sharing – it has got to be broad collaboration. It is a whole-of-government discussion.

What is the main takeaway from the EO for state and local agencies? ROBINSON: I think the main thing is that

the EO is very comprehensive. It provides a

good roadmap for state and local leaders to look at and say, “What can we do?” The EO

WARD: As we get more connected as a

reinforces what state and local governments

thinner and thinner. To protect our federal,

modern. You must understand the risks and

society, it’s almost like our borders are getting

need to do to become more mature and

state and local government, it’s critical that

make sure you fund them.

everyone take an interest in cybersecurity.

WARD: Every government in our country

There is currently no requirement in most

understands that cybersecurity is a huge

incidents they might have. But if there’s

more everyone plays their roles, the better off

states for the private sector to report any

concern, and everyone has a role to play. The

an attack on a private-sector company or

we are going to be.

institute, it could likely affect state and local networks, higher education and things like that, too.

This goes to the concept we call “all of state.” Everyone in a state has a role to play in

cybersecurity. It is state governments, local governments, the private sector, higher education, etc.

ROBINSON: We’ve heard for years that

actionable intelligence-sharing is an area

that needs lots of improvement. There has got to be more collaboration and less just

throwing stuff downstream to state and local agencies. Frankly, there are lots of times they do not know what to do with information

because there’s so much latency built in, or Unpacking the President’s Cybersecurity Executive Order

37


“The mission is not insurmountable,

How to Climb Your Agency's Cybersecurity Mountain An interview with Katie Hanahan, Vice President, Cybersecurity Strategy, ITsavvy

In the public sector, overthinking cybersecurity is almost as bad as not considering it enough. For many agencies, cybersecurity is like standing at the foot of a mountain without any idea how to scale it. Yet the only way over a mountain is one step at a time, and the same is true for cybersecurity. For agencies unsure about how to approach cybersecurity, the answer is basic cyber hygiene. 38

© Copyright 2004-2021. The ITsavvy marks are trademarks of MT & Associates LLC.

A GovLoop Guide

but it can feel that way sometimes,” said Katie Hanahan, Vice President, Cybersecurity at ITsavvy, an IT solutions provider, while discussing cyber hygiene. “You can’t climb a mountain without knowing how to get to the top one step at a time.”

Email info@ITsavvy.com to start. IT Products. Technology Solutions. Peace of Mind.


Industry Perspective

How to Climb Your Agency’s Cybersecurity Mountain An interview with Katie Hanahan, Vice President, Cybersecurity, ITsavvy In the public sector, overthinking cybersecurity is almost as bad as not considering it enough. For

many agencies, cybersecurity is like standing at the foot of a mountain without any idea how to scale it. But the only way over a peak is one step at a time,

and the same is true for cybersecurity. For agencies

unsure about how to approach it, the answer is basic cyber hygiene.

Cyber hygiene covers the steps that computer users

can take to protect their organization’s online security and system health. By mastering fundamental cyber hygiene, agencies can enable their employees to defend resources like data.

2. Avoid alert fatigue Alert fatigue is when the amount of cybersecurity alerts exhausts the people addressing them. At agencies, alert fatigue can overwhelm

cybersecurity teams that may already have small budgets or workforces.

Fortunately, agencies can reduce alert fatigue

using security operation centers (SOCs). SOCs are centralized units that deal with security issues like cybersecurity on organizational and technical levels. After partnering with an external SOC

or starting their own, agencies can shift some cybersecurity burdens away from their staff.

“The mission is not insurmountable, but it can

“The benefit is that you’re outsourcing this piece

President, Cybersecurity at ITsavvy, an IT solutions

your organization can focus on the work at hand,”

feel that way sometimes,” Katie Hanahan, Vice provider, said of cyber hygiene.

Hanahan shared three ways that agencies

can elevate their cybersecurity by refining their cyber hygiene:

to someone else so that the IT people you have in Hanahan said.

3. Test cyberdefenses The best armor is battle-tested often, and

cyberdefenses are no exception. To avoid painful

1. Transform training

cybersecurity incidents, agencies can perform tests

Too often, agencies treat cybersecurity training as check-the-box training. When it comes to

cybersecurity, however, the more practice workers

have, the better. For example, agencies can conduct agencywide lessons quarterly rather than annually. “We have to make sure we are doing this training with every level of employee,” Hanahan said.

Take email security. Hanahan recommended

that agencies instruct everyone from leaders to HR employees about why suspicious email

attachments should be avoided. The reason? Some suspicious email attachments may download malicious software onto agencies’ networks.

that detect security gaps without any lasting damage. Take penetration tests evaluate IT security by

letting researchers safely expose vulnerabilities.

Another option is simulated cyberattacks, which let agencies practice how they might respond to real security incidents.

Although cybersecurity might seem daunting,

providers like ITsavvy can give agencies the security assessments, assistance and training they need for mission wins.

“We have the right ecosystem of partnerships to help them achieve their goals,” Hanahan said of ITsavvy. “We can get through this and do this together.”

Unpacking the President’s Cybersecurity Executive Order

39


EO-Ready Best Practices for Cybersecurity The Biden administration’s EO on cybersecurity may become a before-and-after moment in the history of government cybersecurity.

That does not mean the EO will not matter to everyday Americans. Across every layer of the

nation’s public sector, government employees can make a difference in cybersecurity—that does not just benefit their agencies. Someday their cybersecurity contributions may aid the private sector and constituents, too.

The main takeaway governments should have from the new EO is that all their employees can

play their part in safeguarding national cybersecurity. Whether an entry-level hire or an agency leader, no role is too small to lend a hand.

Here are eight ways — two for each category of government employee discussed here — to

bolster U.S. cybersecurity from coast to coast. These tips are inspired by the federal, state and local thought leaders in this guide.

Rank-and-File Personnel

2. Stay informed. Cybersecurity never stops morphing.

1. Embody skepticism. With cybersecurity, every government employee can approach their work with more caution. No one wants to make their agency a cyberattack statistic, but the truth is even small security

informed about this critical topic should consider every training available to them. Even basic

lessons about topics the EO covers — like cloud security — can prevent painful experiences.

missteps can become big incidents.

As a result, all government workers should be wary of potential cybersecurity traps such as

suspicious emails. Another place for constant

vigilance is possible technology vulnerabilities. Whether these potential flaws reside in

applications, IT networks or elsewhere, spotting them early can avoid costly security incidents.

Ultimately, any employee can contribute toward

better cybersecurity by avoiding suspicious links, email attachments and other possible pitfalls. 40

Government employees who want to stay

Although such cybersecurity education is

useful, not every government employee has the energy, money or time for classes. One alternative is following cybersecurity news

such as relevant EOs when the opportunity

presents itself. Another solution is getting the

gist of subjects like the latest cybersecurity EO

from trusted coworkers. Ultimately, even novice

cybersecurity knowledge is better than nothing at all.

A GovLoop Guide


Agency Management and Leadership

4. Think enterprisewide.

3. Promote cybersecurity learning.

a business risk that endangers their entire

Speaking of the macroscopic, many

organizations do not consider cybersecurity

Knowledge is power, but no cybersecurity

enterprise. At these places, organizational

that remain unaware of them. Consequently,

leaving other teams out of the loop about this

insights can reach government workforces

leaders may treat cybersecurity as an IT issue,

those in leadership positions should encourage

pivotal topic.

cybersecurity learning options whenever possible.

Agency leaders and managers can avoid this

Picture the supervisor of a close-knit team

shortcoming by erasing the silos that exist

individual could enroll in cybersecurity training

communication and information-sharing

cybersecurity EO and urge their teammates to

cybersecurity EO recommends, it reminds

at an agency. Leading by example, this

among their teams. Not only does this improve

related to acts like the Biden administration’s

about threat intelligence, as like the recent

do the same. Afterward, this leader can explain

everyone that they are in the same boat.

the training’s message to others who missed the event.

Positivity is another essential element. Federal,

state or local, every agency’s leaders hold sway

At a more macroscopic level, an agency’s

over a workforce’s morale. Praising successes,

their mission. The people with leadership

can all keep an agency’s talent optimistic about

leaders prioritize the way their talent pursues

encouraging progress and avoiding negativity

abilities should remember they can help steer

their enterprisewide cybersecurity.

their agency’s cybersecurity posture toward goals outlined in directives like EOs.

Unpacking the President’s Cybersecurity Executive Order

41


IT Personnel

6. Remember no one is safe. Recall the new cybersecurity EO’s emphasis

5. Show others the ropes.

on zero trust cybersecurity. One of zero

Tools such as encryption and MFA may be

commonplace across the private sector, but that does not mean these capabilities are

equally widespread across the public sector. more collaboration between IT personnel and

their peers. By instructing their coworkers about how to use tools like encryption, IT personnel

can ensure these security practices become entrenched agencywide.

government IT personnel, internalizing this

principle can drastically improve the quality of Let us start with preparedness. By assuming

cyberattacks are a given, no agency’s IT talent

will ever stop looking for them. This quality does not mean government IT teams expect failure;

rather, it means they are always trying their best to prevent it.

This attitude could align agencies with the

recent cybersecurity EO’s technological details. become second nature if no one understands how to use them.

that security incidents are inevitable. For

their work.

How can agencies change this? One idea is

Ultimately, EO mandates such as MFA cannot

trust cybersecurity’s foundational tenets is

Next, ponder responding to and remediating

cybersecurity incidents. IT employees who expect successful attacks against their agencies also

know how to respond while they are happening and how to recover from the fallout.

42

A GovLoop Guide


Procurement Officials 7. Bake security into the process. The Biden administration’s recent EO covers

everything from software supply chain security to cloud adoption. Procurement is one avenue

any agency hoping to meet the EO’s standards can use to do so more quickly and easily. Think about secure cloud adoption. By

demanding that cloud vendors abide by

FedRAMP’s security requirements, procurement officers can ensure their agency aligns with

the EO. The same thinking can mold contracts related to the EO’s other details, like zero trust cybersecurity architectures.

8. Shop around. Return to the national system for ranking

software security that the Biden administration’s EO will create. Once fully realized, this system

will become a detailed roadmap for evaluating, rating and purchasing secure software.

When this apparatus becomes operational, procurement personnel should make

referencing its rankings second nature. Until then, there are several ways procurement teams can improve their agency’s security during contracting. Evaluating how well products and services comply with all

applicable global, federal, state and local

cybersecurity regulations is a sound first step.

The agencies that consider how the products and services they acquire will follow the EO’s

guidelines will have a head start on living the

Another idea is avoiding long contracts that lock agencies into partnerships with vendors that do not meet their needs.

document’s full intent every day.

Unpacking the President’s Cybersecurity Executive Order

43


44

A GovLoop Guide


Industry Perspective

Securing Your Agency’s Future With Zero Trust Security An interview with David Pipes, Senior Solutions Architect, Affigent

The recent cybersecurity executive order (EO) has a clear message – zero trust security is coming soon. Starting with federal agencies, the public sector is now racing toward this new security strategy.

But implementing zero trust security can be long, difficult and costly without forethought. How can

agencies avoid getting bogged down by their zero trust security journeys?

2. Leverage productization Productization is the process of developing or

changing workflows, ideas, skills and services so

they can be marketed and sold to buyers. In terms of zero trust security, productization can help

agencies leverage products and services for their unique concerns, rather than creating their own solutions and workflows from scratch.

The answer is carefully considering how

automation, effort, investments and processes fit

zero trust security. Without this roadmap, agencies

may struggle to adopt zero trust security efficiently and affordably.

Take an agency that handles classified data.

By obtaining zero trust security products for this

information, it can save energy, time and budget

dollars its workers might have spent addressing the same need.

“The idea of going all out for a full solution is one only extremely knowledgeable and well-funded organizations can consider today,” said David

Pipes, Senior Solutions Architect at Affigent, an IT solutions provider.

Pipes detailed three steps agencies must take

before zero trust security becomes second nature:

1. Learn the basics

“Primarily, it helps by reducing the cost and complexity of implementation,” Pipes said of productization.

3. Avoid vendor lock-in Vendor lock-in happens when switching solution providers for capabilities like zero trust becomes

so cost-prohibitive agencies cannot do so easily. Pipes recommended that agencies avoid this

pitfall by exercising caution until zero trust security

Before agencies can embrace zero trust security,

their employees must grasp how it works. After all, much of the zero-trust mindset marks a radical departure from traditional security.

For instance, traditional security had perimeters

around agencies’ IT networks to keep threats out. In contrast, zero trust security assumes cybersecurity breaches are inevitable because threats can

emerge either inside or outside such perimeters. To prevent as many incidents as possible, zero trust

security continuously monitors data, networks and systems in real time for threats.

tools are standardized.

“Don’t get swept up by early adopter product hype,”

Pipes said. “Custom implementations are expensive and hobbled by the lack of standards.”

Affigent can assist agencies with adopting zero trust security by offering the tools that make

the most sense for their workforces. These tools

automate parts of zero trust security, like continuous monitoring, so they happen with little to no human input. Ultimately, this helps agencies reap the best returns from zero trust security based on their specific efforts, investments and processes.

“My advice at this point is to let your staff learn about zero trust and perhaps try some small implementations,” Pipes said.

Unpacking the President’s Cybersecurity Executive Order

45


Conclusion The past two years have witnessed a troubling rise in the frequency and severity of cyberattacks. No matter where these security incidents occur, even the smallest one jeopardizes national normalcy. The Biden administration’s cybersecurity EO suggests Americans are stronger together than apart when it comes to cybersecurity. Although cybersecurity is a constant concern, the EO equips the United States to weather this storm by bringing the public and private sectors closer together on topics such as threat intelligence.

Beginning with the federal government, the EO modernizes cybersecurity in ways that will strengthen state and local agencies, too. From there, this document unites the public, private and constituent sectors against global cyberthreats. Although nothing is certain with cybersecurity, the EO dramatically improves America’s cybersecurity odds.

About GovLoop

Thank You

GovLoop’s mission is to inspire public-sector

Thank you to Dell Technologies and its partners:

network for government. GovLoop connects

Red River, Sterling, Technology Integration

professionals by serving as the knowledge

more than 300,000 members, fostering crossgovernment collaboration, solving common

problems and advancing government careers. GovLoop is headquartered in Washington, D.C.,

Affigent, Future Tech Enterprise, Insight, ITsavvy, Group, ThunderCat, and Wildflower for their support of this valuable resource for public sector professionals.

with a team of dedicated professionals who

Author

For more information about this report, please

Designers

share a commitment to the public sector. reach out to info@govloop.com.

Mark Hensch, Senior Staff Writer

Nicole Cox, Junior Graphic Designer

govloop.com | @govloop

46

A GovLoop Guide


1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop

Unpacking the President’s Cybersecurity Executive Order

47


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.