For the past 17 years, the Cybersecurity & Infrastructure Security Agency and the National Cybersecurity Alliance have led a month-long national focus on cybersecurity best practices. In coordination with a number of organizations around the country, each October features events and campaigns to help educate businesses and individuals on avoiding dangers lurking online. As with everything else, the activities for the 2020 Cybersecurity Awareness Month will look a bit different. But perhaps it is fitting that most of it will be taking place online. It's a great opportunity to practice what you preach when hosting virtual events and resources.
The theme for 2020 is "Do Your Part. #BeCyberSmart," encouraging individuals and organizations to look at their own role in protecting cyberspace and providing proactive steps to enhance cybersecurity. A big part of this is the idea of "if you connect it, protect it." Resources and speakers will focus on securing devices at home and at work, securing Internet-connected healthcare devices, and looking ahead to the future of connected devices.
In government, doing "your part" means making a transition to a zero trust security environment where access controls are maintained around data and systems even after someone has shown the proper credentials to get into the network. The name "zero trust" implies a difficult hurdle that has to be overcome to earn the trust, but that is not the case. A different way of looking at it is "context-based trust" or "variable trust" meaning that devices with network access will receive immediate entry. Other devices that are unknown to the network will be subject to additional checks and balances. Key to this is establishing what is perceived as normal behavior on the network and by users. As activity deviates from that norm, systems and data can be locked up until legitimate access is verified. Continue reading →
For the first time ever, every government agency received a passing score on the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard. Now, this does not mean that everyone made the honor roll, rather the general GPA is around a C.
FITARA was enacted in 2014, and report cards come out twice a year to measure and track progress in meeting the modernization efforts outlined in the legislation. The scorecard has evolved over the years as deadlines have passed, and new modernization metrics have been implemented.
The coronavirus pandemic underscored the need for modernization. Agencies had to hustle to move processes fully online and make them accessible to a remote workforce and the public who could no longer visit government offices to conduct business. It reinforced the need for modernization to move from a wish list or "we'll get there" item to a critical need.
In this 10th report, The General Services Administration (GSA) received an A+ grade on the scorecard for the second time in a row. The Education Department dropped out of the A-range, falling to a B. They joined two other agencies in dropping scores, while seven agencies showed improved results, and 14 stayed the same. The majority of agencies passed in the C-range. Continue reading →
The annual Federal Information Security Modernization Act (FISMA) report was delivered to Congress in May and contained encouraging news. The report, tracking agencies' ability to meet the guidelines set forth in FISMA, showed that there were 8% fewer cybersecurity incidents across government in fiscal year 2019. Additionally, the report showed that 73 agencies meet the highest FISMA rating, up from 62 in 2018.
All of this improvement comes at a time when more attacks are being carried out against agencies and those attacks are becoming more and more sophisticated. The government's ability to stay ahead of the increasing attack vectors can be attributed to compliance with federal regulations and mandates including Continuous Diagnostics and Mitigation program and the National Cybersecurity Protection System.
Additionally, a focus on educating federal employees about spear phishing, the practice of sending emails that look like they are coming from a known or trusted sender to intice targeted individuals to reveal confidential information, has also paid off. The report showed that the U.S. Department of State, U.S. Department of Health and Human Services, and the U.S. Department of Commerce had the largest reduction in phishing-related security incidents via email. Fittingly, the Department of Education earned a proverbial gold star, reporting zero phishing incidents. They attributed this success to employing "increasingly complex phishing scenarios" to improve spam filtering and implementing anti-phishing policies with their email provider. Continue reading →
The Federal Risk and Automation Management Program, more widely known as FedRAMP, was put in place in 2011 to create a standardized approach to evaluating the security controls of cloud solutions for government use. For nearly a decade, FedRAMP has continually evolved to keep up with the growing availability of and demand for cloud solutions. In fact, the number of authorizations granted between 2016 and 2018 increased roughly 33% year over year.
With this in mind, the latest modernization of FedRAMP may be coming via the FedRAMP Authorization Act of 2019, which would expedite the approval process. Of particular interest is language in the bill that introduces the "presumption of adequacy." This means that once a cloud vendor is authorized through the FedRAMP process with one agency, it is cleared to work with other agencies under that initial authorization. The legislation also formalizes roles and responsibilities, designating the Office of Management and Budget as responsible for FedRAMP policy and making the General Services Administration in charge of day-to-day implementation. Finally, the bill stipulates metrics to track the implementation of the program.
Further influencing the demands on FedRAMP is the quick surge of support for flexible cloud solutions to enable telework environments amid the COVID-19 response. These developments may have a significant impact moving forward. While private industry is stepping up and offering technology for free to help secure public health and safety, the federal government must still look to FedRAMP guidance in utilizing cloud solutions. Today, more than ever, a quick and efficient approval process is essential.
From military missions to public safety applications to infrastructure inspections, drones have many applications across government. While the technology is ready for all of these applications (and more), there are complex regulatory and legal issues that are holding up their widespread use. These issues include airspace regulations (for the safety of manned and unmanned flights), privacy concerns (related to on-board cameras), and cybersecurity concerns.
While these issues are being discussed in the courts and across regulatory bodies, state and federal level agencies are taking steps to integrate drone usage into their processes. For federal agencies, drones are available on the GSA Schedule. State and local organizations are piloting a drone-as-a-service model that allows groups to use drones for specific-use cases without having to invest in the purchase and maintenance of the hardware.
There are a number of upcoming events that address both the technology and the policies that impact current and future drone usage. Continue reading →