Four Cybersecurity Policies Transforming Government
These directives begin impacting agencies this year.
As a result of recent federal legislative and administrative activity, government agencies are expected to launch significant modernizations of their cybersecurity systems, get offensive with hackers and take a more strategic approach to risk. Combined, these policy directives promise to transform our government into a robust digital society, gaining greater resiliency to cyber threats by leveraging opportunities while reinforcing standards and procedures.
Here’s a breakdown of the key components of the four policies:
The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (EO 13800) requires agencies to follow the NIST Cybersecurity Framework (CSF). Among its most significant directives, the order makes agency heads accountable for managing risk to their enterprises and strongly suggests that agency heads favor shared IT cybersecurity services. Agencies should rigorously identify, catalog and prioritize cyber risk, approaching it more strategically and tactically. Doing so will establish an enterprise view of mission and business processes and information security, and ensure the traceability and transparency of risk-based decisions. It will ultimately provide a continuous improvement process—key to the order’s success.
Furthermore, it calls for the improved cyber defense of critical infrastructure, which is “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security.” This could prove impactful in the long term if critical infrastructure operators are held accountable for applying the appropriate controls and safeguards to their assets and transparently communicate the risks to the enterprise. As a result, the administration could gain greater visibility into the risks and risk management practices of the owners and operators of the nation’s critical infrastructures systems, enabling a better informed, more nimble, more secured nation.
Two policies focus on modernization: Required by the EO 13800, the administration’s Federal IT Modernization Report, among other directives, calls for federal agencies to upgrade and increase the security and efficiencies of their most critical IT systems over the next year; transition from network-level defense to cloud and shared services models; and adopt more flexible, interoperable cybersecurity methods. It also includes a requirement that NIST examine quantum computing and the impact it can have upon the capability of, and ultimately, trust in public key encryption.
In addition, the Modernizing Government Technology Act of 2017 (MGTA) will help agencies retire, replace and modernize outdated IT systems and is backed by a $500 million central modernization fund that agencies can borrow against to update legacy systems. It also creates working capital funds to which agencies can allocate savings created by first-round modernization projects for use in future endeavors. To best take advantage of the funding opportunity, chief information officers and chief information security officers should ensure mission-critical systems meet MGTA requirements of investing in modern technology solutions, improving service delivery to the public, securing sensitive systems and data, and saving taxpayer dollars. In addition, officials need to transition from resource-intensive, compliance-focused strategies to risk-based, continuous monitoring strategies to achieve operational resilience.
MGTA will support cloud migration, shared services and the reinforcement of cyber defenses and data protection. A variety of factors—e.g., resource prioritization, ability to procure services quickly, technical issues, etc.—have impeded modernization efforts within agencies. To overcome these issues, agencies should consider agile approaches to ensure iterative updates to policies and procedures and eliminate barriers to various capability adoptions and cloud migration efforts. This should result in improved shared resources and cloud collaboration tools that can boost efficiencies while reducing costs.
The administration’s National Security Strategy asserts that the United States will deter, defend, and when necessary, defeat malicious actors targeting the nation. This strategy shifts the U.S. defensive cyber stance to a more aggressive, proactive position, requiring the Defense Department to detect, understand, investigate and disrupt any hostile actions and pursue and prosecute malicious state and non-state actors. The country will defend against evolving cyber threats and respond effectively to incidents and ensure networks, data and systems are protected and resilient. Therefore, investments in cutting-edge analytics and the cyber workforce will need to grow.
As the capabilities of U.S. cyber adversaries continue to advance, so too must U.S. defenses evolve with enough agility to counter them and address the root causes of vulnerabilities. A potential solution requires hiring and retaining the smartest and best-trained cyber professionals. However, federal budget constraints pose additional challenges, creating bottlenecks in cyber talent acquisition and ultimately cybersecurity innovation. Given the turbulent cyber environment, federal leaders must support adequate funding for cyber defense-related advancements, as agency officials still have to prioritize mission-essential systems regardless of funding limitations.
Collectively, these policies bring the promise of a government that will work more efficiently and effectively against an increasingly sophisticated cyber foe despite funding-related challenges. Agencies will be better positioned to successfully manage risk, while taking greater advantage of cloud resources and shared services. In addition, they’ll be empowered to deploy more proactive, offensive tactics against hackers.
It is clear that adversaries’ tactics are constantly evolving. So too must federal agencies develop strategies to anticipate risks and implement defensive measures to minimize any negative consequences, if not prevent them entirely. With these policies, the government now has enough authority and flexibility to do that.
Seli Agbolosu-Amison, PhD, is a cybersecurity data scientist for NetCentrics Corporation.