Security in the “New Normal”

With telework expected to stay long after the pandemic ebbs, government agencies are looking to shore up the remote work solutions they put in place to ensure on premise security measures extend to the dispersed workforce. Multi-cloud environments are the reality for almost every agency. The many applications needed for the diverse functions of an organization require multiple cloud solutions to provide the specific support needed.

A report from Meritalk, Multi-Cloud Defense: Redefining the Cyber Playbook, found that 83 percent of respondents are increasing multi-cloud adoption to support telework and mission needs related to COVID-19. However, 42 percent said their cyber strategies cannot keep up. One part of the challenge is creating a solution that can be applied to the wide variety of endpoint devices and meeting enterprise security requirements.

One option for quickly developing and implementing security solutions for the reality of today's network is the practice of DevSecOps. DevSecOps is an organizational philosophy that combines agile software development with security testing and tools for rapid delivery of applications and services. The growing use of this approach has led The National Institute of Standards and Technology (NIST) to create DevSecOps guidance that would help agencies include security earlier in the development lifecycle. This builds a new level of transparency into the security of solutions being used on government systems.

Security has always been a paramount focus of government IT and now with the way we access systems and data changing dramatically and quickly it is an even more critical focus. Luckily, there are a number of events and resources that can help IT and business leaders navigate what this "new normal" means for security.

  • RSAC 365 Virtual Summit (January 27, 2021; virtual) - From security leader RSA, this one-day online event features four tracks - Analytics, Intelligence, and Response; Application Security; Machine Learning, AI, and Automation; and Impact 2020, looking at the resilience strategies that worked in 2020.
  • Cloud Security & Services: Matching Data Demands with Increased Security (January 27, 2021; virtual) - This session will look at the challenge of blending the different types of cloud and service models to provide access to needed data, while at the same time protecting a much-enlarged attack surface created by the large number of workers who are accessing the data remotely.
  • FCW Workshop: Pillars of Modernization (February 10, 2021; virtual) - This workshop will feature government and industry experts addressing the need for a holistic approach to modernization that looks at security, network infrastructure, multi-cloud architectures, data solutions, and the user experience.
  • Advancing Cybersecurity at Scale in the Cloud (white paper) -- Even though federal agencies are gatekeepers to some of the nation's most valuable and sensitive data, much of the core infrastructure tasked with securing these assets has not evolved. This paper looks at how to create a comprehensive platform to help modernize and holistically manage digital environments.
  • Cyber Resilience Review (data sheet) - Published by the Cybersecurity and Infrastructure Security Agency (CISA), this paper looks at how a review provides an improved organization-wide awareness of the need for effective cybersecurity management. It details how to map the relative maturity of the organizational resilience processes.

We'd love to hear where you are getting insight on DevSecOps and cloud security. Share your ideas in the comments.

Do you have an upcoming event related to security? Be sure to add it to GovEvents to reach our 100,000+ members and beyond. You can also now add white papers, case studies, infographics or e-books to GovWhitePapers.

Blockchain’s Role in Managing COVID

Blockchain technology is a new way of passing information from point A to point B. The data passes through a "block" that gets validated by a network of unrelated computers, and democratizes the transfer of data. This creates a transparency for the path of the data and makes that path irreversible. It also allows for computational logic to be attached to data, enabling automation around actions associated with it.

 

Organizations across government have been experimenting with ways blockchain technology could make transactions more efficient, secure, and transparent. With the COVID-19 pandemic the ability to easily, securely, and transparently share data has never been more important. In the many areas of our lives affected by the pandemic, blockchain is proving to be a tool for meeting the quickly evolving demands of public health, financial markets, and even democracy itself.

Continue reading

Finding Business Continuity in the Cloud

More than finding cost efficiencies with cloud, government has realized its adoption is critical to business continuity. With mandatory telework as a result of COVID-19, organizations that have been proactive in their move to cloud found themselves able to quickly adapt and continue business as usual in very unusual times. Organizations that did not prioritize cloud found themselves scrambling to give employees access to the technology they needed to do their work.

Luckily, policies including the Cloud Smart mandate helped put more people in the first category than the second. A study completed in March (before pandemic telework began) found that 71% of federal respondents agreed that Cloud Smart was driving cloud adoption. In addition to Cloud Smart, the FedRAMP program also helped drive cloud adoption leading up to and during the pandemic. In 2020 alone FedRAMP added 200 authorized products and are on track to authorize over 60 cloud service offerings. The program has also achieved over 1,850 reuses of cloud products.

Continue reading

Do Your Part. Be CyberSmart: 2020 Cybersecurity Awareness Month

For the past 17 years, the Cybersecurity & Infrastructure Security Agency and the National Cybersecurity Alliance have led a month-long national focus on cybersecurity best practices. In coordination with a number of organizations around the country, each October features events and campaigns to help educate businesses and individuals on avoiding dangers lurking online. As with everything else, the activities for the 2020 Cybersecurity Awareness Month will look a bit different. But perhaps it is fitting that most of it will be taking place online. It's a great opportunity to practice what you preach when hosting virtual events and resources.

The theme for 2020 is "Do Your Part. #BeCyberSmart," encouraging individuals and organizations to look at their own role in protecting cyberspace and providing proactive steps to enhance cybersecurity. A big part of this is the idea of "if you connect it, protect it." Resources and speakers will focus on securing devices at home and at work, securing Internet-connected healthcare devices, and looking ahead to the future of connected devices.

In government, doing "your part" means making a transition to a zero trust security environment where access controls are maintained around data and systems even after someone has shown the proper credentials to get into the network. The name "zero trust" implies a difficult hurdle that has to be overcome to earn the trust, but that is not the case. A different way of looking at it is "context-based trust" or "variable trust" meaning that devices with network access will receive immediate entry. Other devices that are unknown to the network will be subject to additional checks and balances. Key to this is establishing what is perceived as normal behavior on the network and by users. As activity deviates from that norm, systems and data can be locked up until legitimate access is verified. Continue reading

Making the Grade: All Agencies Receive a Passing Score on FITARA Scorecard

For the first time ever, every government agency received a passing score on the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard. Now, this does not mean that everyone made the honor roll, rather the general GPA is around a C.

FITARA was enacted in 2014, and report cards come out twice a year to measure and track progress in meeting the modernization efforts outlined in the legislation. The scorecard has evolved over the years as deadlines have passed, and new modernization metrics have been implemented.

The coronavirus pandemic underscored the need for modernization. Agencies had to hustle to move processes fully online and make them accessible to a remote workforce and the public who could no longer visit government offices to conduct business. It reinforced the need for modernization to move from a wish list or "we'll get there" item to a critical need.

In this 10th report, The General Services Administration (GSA) received an A+ grade on the scorecard for the second time in a row. The Education Department dropped out of the A-range, falling to a B. They joined two other agencies in dropping scores, while seven agencies showed improved results, and 14 stayed the same. The majority of agencies passed in the C-range. Continue reading