Enable breadcrumbs token at /includes/pageheader.html.twig

Supply-Chain Risk Management Program Is Aiding North Dakota’s Cybersecurity

The effort is part of a whole-of-government approach to increase the state’s cyber posture.

The state of North Dakota detects about 4 billion cyber-related attacks a year on its systems and networks. “We get hit with a lot of different attacks,” explained Michael Gregg, North Dakota’s chief information security officer (CISO). “Many of these attacks are what I would call ‘spray and pray,’ which means it may not be directed at us. It is just the attacker throwing it out and seeing who they can hit. But we’re also targeted directly. A portion of that is phishing, or it can be credential-related or denial-of-service ransomware, the whole gamut of attacks.”

As such, protecting the state’s digital infrastructure has required a whole-of-government approach, including increasing the strength of its security operations center, or SOC, reducing the size of its attack surface by consolidating disparate networks, as well as leaning heavily into artificial intelligence, machine learning and automation for cyber defense automation. To stop vulnerabilities before impacting the state, the CISO also has implemented a robust third-party risk management program.

“When I came in, about three years ago, we had literally thousands of incidents that were backlogged,” Gregg offered. “My first real task was in what I would call responsive mode, to respond to the incidents, get the number of incidents down, and build up what we needed as far as on our SOC side. But as soon as that was done, I wanted to add more protection and get upstream from these types of issues, which means we needed to be looking at things before they come in the door. And to do that, we needed a third-party risk management program where we could get ahead of the risk.”

Having had experience defending networks on a global scale while previously working in Asia, the CISO put in place automated cyber defenses that address the bulk of attacks. However, out of those 4 billion attacks, the SOC must still directly handle about 50,000 incidents per year.

What helps their efforts significantly is the mandatory reporting that the North Dakota state legislature put in place under House Bill 1314, making it a requirement for agencies and entities to report any cyber attacks to the CISO. “If there’s an attack, we want to know,” Gregg said. “And honestly, the sooner we know, the more value we can bring and the more we can help that entity because we’re able to then respond very quickly.”

To be more proactive, given the level of nefarious cyber activity, the state’s third-party supply chain risk management program addresses the cyber vulnerabilities in the goods and services that the state of North Dakota purchases from its vendors. The supply chain effort is part of the state’s whole-of-government approach to cybersecurity, Gregg emphasized.

Naturally, the comprehensive approach relied on appropriations from the state’s lawmakers. “Part of that challenge is funding,” he said. “We were able to get funding from the House and the Senate and support the chief information officer and the governor [Doug Burgum]. The way I approached it was with the same analogy of thinking of a flood. [I told them] we needed to do upstream mitigation. We needed to build the levees and the dikes. We needed to get upstream of the problem and be able to address it there. And they were kind enough to go along with us on this journey and give us the funding, and beginning last year, we built out a third-party risk management program.”

For the program, the CISO partnered with the Office of Management Budget and their agency procurement office to rank the larger corporate acquisition projects by their level of cyber risk—low, medium or high. “Obviously, for some items you might buy, you don’t need to do a risk assessment,” Gregg explained. “But what we did want to do was if it was a big project, if it was something that impacted security in some way, we were able to evaluate it by looking at their security compliance and other factors to make sure that it was a good choice for the state before we [proceeded] to get into a risky situation.”

Another way the supply chain risk management program tackled reducing cyber risks was to examine the total number of vendors that served the state. “Because when you can reduce down the number of vendors, then you have bigger voice with the ones that remain,” he stated. “I would say we changed those relationships from being just transactional to being a partner with a vendor. What we have looked for is to develop partnerships with these individuals where we can look for longer-term solutions and not just transactional solutions.”

That construct has also allowed the CISO’s office to be able to help smaller vendors, especially those who have not been through a supply chain risk process or cybersecurity effort before. “It seems to be a little bit of a challenge for them to do it the first time, and we have to have a little bit of extra guidance and help and support for those individuals to get through it. And we want to support everyone with this.”

In addition, the CISO’s office partnered with StateRAMP.

Akin to the federal cybersecurity program FedRAMP, StateRAMP offers a standardized approach to cybersecurity thresholds, but on behalf of state and local governments. The 501(c)6 nonprofit was founded in 2020 and certifies members across the United States that provide digital infrastructure, such as cloud, software-as-a-service or other products, and offers key tools to the providers and state and local governments. StateRAMP’s latest tool is an early-stage security maturity assessment tool for cloud products.

North Dakota is finding early success in partnering with StateRAMP, Gregg said. “I want to ensure that when we bring in a vendor, they are low risk, but I don’t want to unduly burden that vendor,” he said. “If that vendor has done work with another state that is a StateRAMP-certified state, and they’ve passed the requirements for that state, they don’t have to do it again with us. We can use that same basic process and paperwork to bring them in.”

However, it is the unity of effort from the state legislature, Gov. Burgum, state agencies and tribal nations that is making North Dakota’s cyber stance stronger. In addition to House Bill 1314, the state legislature passed a bill in 2019 that unified the state’s government digital infrastructure, which was another important step for the state’s cybersecurity, Gregg noted. Each agency or entity had a federated system with its own network or stack, such as the attorney general having a different network than Health and Human Services. North Dakota has now united those disparate networks, Gregg clarified.

And while it led to centralizing the systems and leveraging cyber defenses, the unification also meant the CISO’s office had to implement network security for many more endpoints. “We needed to be able to grow our coverage from about 20,000 endpoints when I walked in the door to over 200,000 endpoints,” the CISO acknowledged. “I really liked the challenge of it. And I would describe it as building a whole-estate approach to security. That’s really one of the things for me that I’m probably most proud of.”

Additionally, House Bill 1417 further expanded the state’s whole-estate approach to be able to work with the state’s Native American tribal nations to provide cybersecurity outreach and support.

Image
Mandan, Hidatsa and Arikara (MHA) Nation tourism representatives pose at Crow Flies High State Recreation Area, overlooking Lake Sakakwea, in North Dakota. The state’s unity of efforts cybersecurity approach is working to support tribal nations in the state, such as MHA, to improve their cybersecurity. Credit: North Dakota Tourism
Mandan, Hidatsa and Arikara (MHA) Nation tourism representatives pose at Crow Flies High State Recreation Area, overlooking Lake Sakakwea, in North Dakota. The state’s unity of efforts cybersecurity approach is working to support tribal nations in the state, such as MHA, to improve their cybersecurity. Credit: North Dakota Tourism

North Dakota also leveraged cybersecurity insurance discounts as a motivation tool. Agencies and entities that employ CISO cybersecurity measures received reduced costs through the North Dakota Insurance Reserve Fund. “Working with NDIRF, which is the North Dakota Insurance Reserve Fund, I actually got them to reduce the cost of insurance to the political subdivisions by 4% for anybody that took on our toolset,” he noted. “So we’re not only able to buy in bulk, buying a much larger number, due to the unification, which reduced the cost of the tooling, we were also able to get our partners for this whole-estate journey a reduction on their insurance. And if you’ve gotten any kind of insurance lately, you know that it is goes one way. It only goes up.”

The federal Infrastructure Investment and Jobs Act (IIAJ), passed by President Joe Biden on November 15, 2021, provided federal funds to the state. The CISO had to respond quickly, he said, to the Notice of Funding Opportunity to obtain funding for cybersecurity. The office built a plan for localities, cities, counties, and school districts to obtain IIJA money for cybersecurity and, at the same time, was able to have the state match 10% of the federal funds, with support from the governor, the chief information officer, and the House and Senate.

“And honestly, in some of these school districts, you could have a teacher and a school bus driver who are also working cybersecurity, and the budget is already set for the next year,” Gregg said. “So, the state coming in and giving that percentage really allowed everybody to do this.”

Lastly, Gregg is proud of the CISO team that has not only grown their defensive and investigative skills for the SOC but is demonstrating those capabilities in cyber competitions, most recently in the America's Cyber Cup Challenge.

“This last year, my team was in America’s Cyber Cup Challenge for the first time,” he said. “We were the only state government team in that challenge and my team took second place. To see how we’ve grown the skill sets of those individuals and to help them mature as cyber professionals has just been great. And none of this would have been possible without the unity of effort from the governor, the lieutenant governor, the House, the Senate, and most importantly, my team. It’s just been phenomenal.

Enjoying The Cyber Edge?