Putting a Value on Trust — Introducing Zero Trust Security Approaches

With so many high-profile hacks this year, it's easy to want to throw up your hands and say, "Is there nothing that can be trusted?!" Interestingly, that lament is what is driving the latest approach to cybersecurity -- zero trust. Zero trust is what it sounds like, a security approach centered on the belief that organizations should not automatically trust anything accessing their systems either inside or outside their perimeters. Instead, all people and devices must be verified before access is granted. To the untrained eye, this seems untenable. How, in this day and age, when we depend on digital information and connection to do most anything, can we use a process where we have to constantly verify identity and access permissions? Luckily, the practice of zero trust is more sophisticated than its premise.

Continue reading

Agencies Meet FITARA Goals Even While Battling Pandemic Challenges

The latest Federal IT Acquisition Reform Act (FITARA) scorecard showed that all agencies still have passing grades when it comes to meeting federal goals for IT management and reporting, but there was some backsliding in the latest report.

Health and Human Services, Labor, and the Veterans Administration improved their overall scores, while five agencies -- Commerce, Small Business Administration, The General Services Administration, Social Security Administration, and U.S. Agency for International Aid - all dropped. A positive among the scores was that every agency received at least one A for the first time in the scorecard's history.

Continue reading

Making the Grade: All Agencies Receive a Passing Score on FITARA Scorecard

For the first time ever, every government agency received a passing score on the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard. Now, this does not mean that everyone made the honor roll, rather the general GPA is around a C.

FITARA was enacted in 2014, and report cards come out twice a year to measure and track progress in meeting the modernization efforts outlined in the legislation. The scorecard has evolved over the years as deadlines have passed, and new modernization metrics have been implemented.

The coronavirus pandemic underscored the need for modernization. Agencies had to hustle to move processes fully online and make them accessible to a remote workforce and the public who could no longer visit government offices to conduct business. It reinforced the need for modernization to move from a wish list or "we'll get there" item to a critical need.

In this 10th report, The General Services Administration (GSA) received an A+ grade on the scorecard for the second time in a row. The Education Department dropped out of the A-range, falling to a B. They joined two other agencies in dropping scores, while seven agencies showed improved results, and 14 stayed the same. The majority of agencies passed in the C-range. Continue reading

FITARA Has a Bounce Back Semester

The last time we wrote about FITARA, the news was pretty grim. The 6th check-in since the Federal Information Technology Acquisition Reform Act (FITARA) was enacted in December 2014 found that many agencies were backsliding regarding their ability to show progress against FITARA goals of Data Center Consolidation, IT Portfolio Review Savings, Incremental Development, and Risk Assessment Transparency. This was a bit surprising given that the introduction of the Modernizing Government Technology (MGT) Act was expected to help improve FITARA scores. While compliance with MGT is still slow, some other areas picked up momentum helping propel the FITARA scores upward.

The seventh version of the FITARA scorecard showed progress at many agencies over the six months between reports. No agencies saw their grades drop. Additionally, for the first time, there were no Fs on the report. Now, getting excited about no Fs may be setting the bar a bit low, but the DoD, due in part to sheer size and complexity, has struggled with the scorecard, and this cycle earned a D+. Other agencies making notable progress were the VA moving from a C+ to a B+, HHS from C- to B+, and Small Business Administration moving from a D+ to a B+. Continue reading

Digital Forensics 101

The digitization of records and processes across government increases the need for sound digital investigation tools and processes. Whether it is looking into a data breach or gathering information for litigation, organizations are spending a lot of time culling through this data to get answers to pressing issues. An IDG survey found that a vast majority of organizations conduct digital investigations on a weekly basis. These investigations range from proving regulatory compliance, security incident response (including post-event analysis), and stopping high risk employee behavior (acceptable use violations).[Tweet "A look at digital investigations with Tod Ewasko, Director of Product Mgmt. at AccessData. #GovEventsBlog"]

We sat down with Tod Ewasko, Director of Product Management at AccessData to learn more about the role of digital investigations as a part of everyday IT efforts.

Q: Who "owns" forensics? IT? Legal? HR?

A: The answer is kind of all three. Many people lump forensics in with cybersecurity, but it's really a separate entity. Yes, forensics tools are used to investigate cyber incidents, but they are not preventative. That is what you have the "hunting" tools out there for - watching firewalls and logs for anomalous behavior or activity. Once that is stopped, then the forensics tools come in to make sense of it - to see how it happened and drive the plans to make sure it does not happen again. Forensic tools look beyond the event and gather all data relevant to the systems in question.

Q: Is forensics all reactive then? Continue reading