As summer vacation is in full swing across the country, we're sure many of you are missing tracking the grades of your students (insert sarcasm font here). We wanted to fill that void with a look at where agencies stand on their FITARA report cards. We've written here before about the progress, and lack of progress, agencies are making regarding modernizing IT infrastructure and services. The sixth report card on FITARA compliance was issued in May so we wanted to revisit the topic.
The Federal Information Technology Acquisition Reform Act (FITARA) was enacted in December 2014 and agencies are evaluated on their progress against the Act's goals about twice a year. The latest report found that despite a renewed focus on modernization from both the executive and legislative branch, agencies are actually backsliding in terms of grades.
Part of the challenge agencies had with this reporting period was the addition of a new category to track progress on the Modernizing Government Technology (MGT) Act. This "failure" should perhaps have been graded on a curve since MGT has only been in place since December 2017, meaning many agencies have not yet had a chance to have their proposals funded, much less started work.
But even discounting the MGT "learning curve," agency scores show that there is a real struggle across the board in meeting FITARA goals around: Continue reading
Whether it's an Edward Snowden situation or "simply" just someone clicking on a rogue link, insider threat is a real issue for every organization. Insider threat is defined as a malicious threat to the security of an organization and its data that comes from people within the organization, such as employees, former employees, contractors or business associates. These people have some level of legitimate access to systems and information and therefore can open an organization up to attack or a breach. One statistic estimates there is one insider threat for every 6,000 to 8,000 employees within a government agency.
To mitigate this threat, government agencies need a combination of monitoring and detection technologies, identity management tools, process and policy reviews, forensic capabilities, and user training. It's a complex problem to "solve" but luckily there are a number of events and resources available to help make sense of all of the issues.
We've pulled together a list of several upcoming events to help in understanding and mitigating insider threats to any agency or organization.
The digitization of records and processes across government increases the need for sound digital investigation tools and processes. Whether it is looking into a data breach or gathering information for litigation, organizations are spending a lot of time culling through this data to get answers to pressing issues. An IDG survey found that a vast majority of organizations conduct digital investigations on a weekly basis. These investigations range from proving regulatory compliance, security incident response (including post-event analysis), and stopping high risk employee behavior (acceptable use violations).
We sat down with Tod Ewasko, Director of Product Management at AccessData to learn more about the role of digital investigations as a part of everyday IT efforts.
Q: Who "owns" forensics? IT? Legal? HR?
A: The answer is kind of all three. Many people lump forensics in with cybersecurity, but it's really a separate entity. Yes, forensics tools are used to investigate cyber incidents, but they are not preventative. That is what you have the "hunting" tools out there for - watching firewalls and logs for anomalous behavior or activity. Once that is stopped, then the forensics tools come in to make sense of it - to see how it happened and drive the plans to make sure it does not happen again. Forensic tools look beyond the event and gather all data relevant to the systems in question.
Q: Is forensics all reactive then? Continue reading
From time to time GovEvents will come across information we feel our members and audience would benefit from. Here's something we wanted to share:
As some Army National Guard soldiers begin training under a new system that increases the number of days on the range, the chief of the National Guard Bureau predicts "some changes" if the greater demands are not sustainable over the next few years.
In remarks at a March 12 forum hosted by the Association of the U.S. Army's Institute of Land Warfare, Air Force Gen. Joseph L. Lengyel said the Sustainable Readiness Model put in place in fiscal 2017 as a means of reaching a higher level of readiness across all components makes higher training demands on reserve forces. It may not be sustainable for individual soldiers whose "civilian lives won't be able to tolerate it," he said. "I predict there will be some changes."
"Those heavy brigades are going to do 39 days one year, 48 days next year, 60 days in that third year and to sustain that readiness they're going to do 51 days the following year," Lengyel said. "That's a lot of training days. A lot of days." Continue reading
We've written before about the importance of certifications for expanding your knowledge base and helping you stand out among competition when looking for new career opportunities. As we highlighted in that post, industry certifications show mastery of a certain skill area from security to project management to database administration. Today we want to highlight the power of vendor-specific certifications for your career.
Much like we wrote about the value of vendor-led events, there is a tangible benefit in being certified in specific technologies as there's no escaping the major technology vendors. Their technology is in place across the government and oftentimes is providing the platform on which entire IT infrastructures are designed. Doing a deep dive and getting certified in a technology that is critical to your agency makes you a key resource for ensuring that the systems that rely on that vendor keep running and evolving.
Based on what we see in the market, here are some recommendations of vendor certifications that can add to your knowledge-base as well as your value to current and future employers.