In the aftermath of the cyberattacks like Solarwinds, and the Colonial Pipeline, the intense struggle for federal agencies to keep pace with cybercriminals has been laid bare. Criminals are more agile and can effectively deliver new exploits faster than government agencies can adapt. Systems that house high-value assets and information grow increasingly vulnerable. Meanwhile, maintenance and operations costs required for outdated technology and processes keep adding up, depleting precious resources that might otherwise be used to strengthen and modernize.
Federal cybersecurity isn’t just falling behind; it’s moving backwards. It’s been reported that the “Government Accountability Office (GAO) says U.S. federal cybersecurity capabilities have regressed from prior years — and federal cybersecurity is currently in the GAO’s category of government programs at high risk of failure.”
Requirements are rapidly changing and agencies need to act now to prepare for today’s security landscape, and fortify their systems for the immediate future. Just last year, it became clear that remote work will be an essential aspect of professional life moving forward, and this workstream requires its own set of safety and security considerations. By doubling down on IT upgrades and remote work enablement, federal agencies can leverage the modern solutions embraced by the public sector, reinforcing security while improving internal efficiencies.
Federal organizations protect the world’s most sensitive data. Fittingly, they have complex and strict compliance requirements (TIC 3.0, FedRAMP, NIST, FISMA, CMMC). Enhanced security programs need to consider nation-state attackers, bad actors, and major current events that drive change. There are attackers seeking information (such as stealing national secrets), and those focused on disabling critical infrastructure to weaken agencies. It’s worth the investment to update security, as the tools, technologies, and tactics of potential attackers are progressing just as quickly as security standards. Remember that you’re preparing your systems not just for today, but for emerging threats tomorrow as well.
Access management was already complicated, but today’s realities make it even more so. Federal agencies’ current processes for managing access are prone to errors, and they also take up too much time. Research shows that government entities struggle with efficient pathways for credentials and access, and lingering permissions continue to be a cause for concern. Now, as remote work becomes a key part of daily life for many, security requirements are developing further layers and complexity.
To help address these changes to the Federal landscape, President Biden issued a revolutionary executive initiative to improve cyber security. It takes a forward thinking approach to security with recommendations towards modernization of infrastructure, security automation, and adoption of Zero Trust security practices.
The Biden initiatives build upon security mandates already at play in the Federal space. Directives by Cybersecurity and Infrastructure Security Agency (CISA) are becoming more frequent and a bulk of their concerns are centered around the problem of aging infrastructure. With these pushes from multiple fronts, government agencies need to stand up and take notice.
Current federal physical infrastructure is crumbling. In fact, it wasn’t built to last in the first place. Below are three key strategies to help realign federal agencies with modern-day security standards.
Agencies need to invest in modernization programs focused on migrating outdated infrastructure to the cloud. But they need to be thoughtful about their migration processes, as simply copying applications and systems straight to the cloud won’t work. Transferring these applications in the wrong way – via a “lift and shift” strategy, for instance, where an application is copied as-is to a different environment without a redesign – only ends up transferring legacy problems to new environments. Besides, it’s also dangerous, as these types of copy-paste methods just create new opportunities for attackers.
But even after updating to traditional cloud infrastructure, there’s still more work to do. One size does not fit all, and solutions need to be tailored to specific circumstances. Working with an agency such as the Federal Risk and Authorization Management Program (FedRAMP) can help streamline the adoption of new technologies, especially cloud solutions, to help government agencies modernize quickly, securely, and efficiently. So far, FedRAMP has authorized 220 federal organizations, with 54 in the works.
When implementing security solutions, think beyond your immediate organization: it’s not just your full-time employees who need access to systems and data. Numerous contractors, subcontractors, and vendors are a part of federal organizations, and overseeing their access is a daunting task – especially if your third-party turnover is high. Vendor access management (VAM) solutions help oversee the entire vendor access lifecycle. These tools not only provide the required access, but they also make sure to keep permissions airtight, restricting anything more than what’s absolutely necessary.
Modern identity solutions can help the government manage access and implement existing compliance needs while quickly adapting to new regulations and mandates. For greater security, consider identity solutions. Identity forms the baseline of a Zero Trust architecture, which has a “default-deny” state. Through zero standing privilege, the principle of least privilege is implemented in a manner consistent with the Biden order guaranteeing that extraneous access is removed.
Zero Trust architecture helps organizations start with the assumption that all access – including internal “trusted” access – should be verified. Systems attempting to connect should be restricted from the very first step, even disallowed from presenting their credentials to one another. A modern identity solution can streamline processes, making managing access more efficient, more secure, and much less time consuming.
Agencies should work under the assumption that the systems will be breached, and ensure they have controls in place to stop adversaries once they’ve entered the system. It’s a mistake to solely focus on the barriers to entry. Ashley Stevenson, former chief architect for Identity, Credentials, and Access Management (ICAM) at the Department of Homeland Security described the benefits of ICAM in an interview with Fedscoop: “Instead of protecting just the front door, you’re protecting every object behind the door individually.”
Implementing a new identity layer enhances the existing security infrastructure in several ways. First off, by augmenting ICAM with privileged access and least privilege, it not only protects the access gateway but every object beyond it. It also streamlines processes, including certification, increasing efficiency and reducing wait time for access requests. Identity-based solutions help guarantee that any new requests are aligned with compliance, and can provide proof of continued compliance to meet any overarching requirements.
Supported by tools and applications in the cloud, identity solutions are the cornerstone of a modern, secure IT environment. They consider all levels of access, from employees to vendors. They strip down restrictions to the bare essentials, and drastically cut the time spent managing access requests. These solutions are designed to assume breach, protecting assets and information even after attackers gain access to the system. We strongly encourage federal agencies to take steps toward modernizing their cybersecurity today, and ensure that their systems can withstand the threats and attackers of an ever-evolving landscape.