October is a fitting month for cybersecurity awareness. Phishing emails can be even more deceptive than a convincing costume and ransomware attacks can feel like a jump scare in a horror movie. Each year, the National Cybersecurity Alliance and the U.S. Department of Homeland Security spearhead an educational campaign to ensure everyone knows their role in protecting the vast amounts of online data we depend on for daily life.
The 2025 theme is "Stay Safe Online" with a focus on four key steps everyone can take to improve online safety:
- Use strong passwords and a password manager
- Turn on multifactor authentication
- Recognize and report scams
- Update your software
These tactics are important at a personal as well as enterprise level. Agencies across government have taken these best practices and implemented new security measures to protect data.
Strong Passwords
An Office of Inspector General (OIG) audit found that approximately 21% of user passwords at the Department of the Interior were hackable. OIG said that this was due to Interior's "outdated and ineffective" password complexity requirements, which allowed staff to use inherently weak passwords. In fact, it found that unrelated staff were using the same weak passwords. It found that "Password-1234" was used on 478 unique active accounts.
In contrast, password policies at the Environmental Protection Agency require passwords to be at least 12 non-blank characters long, with characters from at least three of the following four categories: uppercase, lowercase, digits, special characters. It also prohibits dictionary words, common names, sequences (like "abcde"), simple keyboard patterns, generic passwords (e.g. variants of "password"), reuse for 24 generations, and more.
Multifactor Authentication
Login.gov allows citizens to create a single point of access to all of the government services they use. It eliminates the need to log into each site separately, allowing a user to move from applying for a federal job, to accessing the status of their student aid, to researching small business loans, without creating a separate login for each service. This access requires a form of multifactor identification. Options include:
- Face or touch unlock
- Authentication application
- Security key
- Phone/SMS
- Backup codes
- Government employee IDs (PIV/CAC)
The U.S. Department of Agriculture successfully implemented phishing-resistant authentication for personnel who could not exclusively rely on personal identity verification (PIV) cards as a form of identification. The department embraced Fast IDentity Online (FIDO) capabilities, a set of authentication protocols that uses cryptographic keys on user devices, as a secure way to authenticate user identities without passwords.
Reporting Scams
Sharing threat information is critical to securing the digital systems we depend on. The government has issued a wide variety of guidance documents and launched a number of threat-sharing programs, including:
- Automated Threat Indicator Sharing - The Cybersecurity & Infrastructure Security Agency (CISA) runs an Automated Indicator Sharing program that enables the real-time exchange of threat indicators between federal agencies and private-sector participants, helping organizations detect known threats quickly.
- Joint Cyber Defense Collaborative (JCDC) - CISA also created the JCDC to coordinate among federal, state, local, tribal, territorial, and private-sector, and international defenders to share actionable risk information in a synchronized fashion.
Additionally, CISA, the National Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analytics Center frequently issue joint advisories and alerts when discovering phishing/spear-phishing campaigns targeting government, NGOs, and private entities.
Updating Software
CISA Binding Operational Directives (BODs) force compliance with best practices for software updates and patching. These directives establish deadlines, and minimum standards agencies must meet. Agencies in compliance with these BODs see dramatic improvement in their cyber posture, with results that include reducing the time to patch vulnerabilities from an average of 149 down to 20 days.
Check out this sampling of Cybersecurity Awareness Month events and related resources:
- Engage Public Sector (October 7, 2025; Washington, DC) - This event will spotlight the transformative potential of integrated technologies such as hybrid mesh firewalls and AI-driven email security. Participants will delve into strategies that prioritize agility, proactive defense, and unified management, moving beyond outdated frameworks.
- Cybersecurity Summit 2025 (October 9, 2025; Reston, VA) - Join national leaders, innovators, and security experts for a dynamic summit exploring the evolving intersection of cybersecurity, advanced technologies, and public service.
- Strengthening Zero Trust Under Pressure (October 16, 2025; webcast) - Learn how zero trust can be made resilient and capable of improving under pressure and how to align your agency's zero-trust journey with federal guidance.
- CyberTalks 2025 (December 9, 2025; Washington, DC) - CyberTalks presents a powerful opportunity to hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat current risks.
- FedRAMP: Evolving Standards, Emerging Challenges, and the Road Ahead (white paper) - FedRAMP, once a groundbreaking framework for authorizing cloud services, is now undergoing a critical transformation through the 20x initiative--aimed at streamlining processes, reducing sponsor burden, and embracing automation over paperwork. Yet challenges remain, from securing agency sponsorship to helping smaller innovators break into the federal market.
- Safeguarding the Digital Realm (white paper) - Cyber threats facing government agencies are growing more sophisticated, with nation-state actors and AI-powered attacks escalating the urgency of defense. Legacy systems, budget constraints, and fragmented oversight continue to weaken cyber resilience. To counter this, experts emphasize a shift toward threat-informed risk management, Secure by Design principles, and integrating AI with strong governance.
To explore more about cybersecurity in government, search for additional events and resources on GovEvents and GovWhitePapers.
