The DoD Cybersecurity Strategy https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/ stresses nine key points. With the end of FFYE looming, are you aligning your spending with these objectives?

Every Federal IT pro knows that security threats are a top agency priority. Yet, according to the SolarWinds 2019 Cybersecurity Survey, those threats are increasing—particularly the threat of accidental data exposure from people inside the agency.

Capital One has announced that about 140,000 Social Security numbers and 80,000 linked bank accounts were compromised “in one of the biggest-ever data breaches,” affecting some 100 million individuals in the U.S. and 6 million in Canada.

More and more organizations are making the move to cloud-based security solutions. Today, 33 percent of organizations are planning to adopt one or more security-as-a-service (SECaaS) solutions. The efficiency with which endpoint security solutions can provide protection, particularly when delivered as-a-service, is a key strategic consideration for many organizations – perhaps none more so than America’s network of medical schools and teaching hospitals.

It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.

Although state and local technology leaders are increasingly prioritizing cybersecurity in their operations, government has a long way to go in securing critical information and systems from cyberattacks.

In light of this struggle, Route Fifty, in partnership with CrowdStrike, recently hosted a webcast that showcases the work of state and local governments who have undergone a transformation in cybersecurity protocols – and the challenges they continue to face.

Many government agencies, particularly large agencies, face enormous obstacles in simply compiling and inventory of the software and hardware under in their system. The difficulty is understandable: I know of one agency responsible for 220,000 makes and models of medical devices (note that this number refers to “makes and models” only. The actual number of devices is much, much higher). In addition, the devices are online intermittently, and many of them are on air-gapped (i.e., physically separate networks), complicating the use of automated tools for identification and inventory.

Every government organization has been the victim of a cybersecurity incident. These can range from mundane incidents such as a user leaving their desk without locking their screen, up to a major breach such as the OPM hack in which hackers stole comprehensive and confidential information on millions of government employees and contractors.

Identity and Access Management (IAM) is the art and science of ensuring that someone is who they say claim to be. This ensures that they have the correct level of access to systems and data – enough to do their job, but no more. IAM systems cover a wide range of features, but typically include:

Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002.  The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies.