World news – 4 pillars for an effective agency cybersecurity strategy

Leading federal tech companies, former government officials, podcasts, and industry insiders offer vital insights into an inverted landscape.

Tom Van Meter is Juniper Networks’ Federal SE Director. He has over 30 years of experience supporting commercial and federal networks, is a former associate professor at George Mason University, and co-author of two books on Juniper Networks Routing.

As part of the recently passed American Under the rescue plan, the Cybersecurity and Infrastructure Security Agency received $ 650 million to strengthen federal networks, and the Technology Modernization Fund received $ 1 billion.

The plan shows that the Biden government is the Cybersecurity takes what is good very seriously. There are already several other initiatives that play an important role in making networks and the information they contain more secure.

These efforts generally do not make big headlines. Each initiative has a different role. They are usually not presented as a coordinated, comprehensive strategy to protect the federal networks. Taken together, however, they form a future-oriented best-practice approach to cybersecurity that any agency can research and implement well.

The four pillars are zero trust architecture, supply chain security, and the National Institute’s cybersecurity framework of Standards and Technology and Certifications.

Zero Trust is a security architecture that focuses on protecting resources (assets, services, workflows, networks, etc.) rather than network segments. Its guiding principles are to never trust, always verify, assume that a breach will occur, and verify explicitly.

Unlike traditional perimeter network defense methods, Zero Trust assumes that every touchpoint in a network is an attack vector represents for a hacker. In a zero trust model, the network reviews all user access requirements before granting access to critical assets.

While Zero Trust does not protect networks from every possible attack, it does reduce the risk of advanced threats and security breaches by causing unauthorized sideways movements and prevents access, accelerates threat detection and response, and closes visibility gaps.

Last August, NIST released SP 800-207 to codify architectural models with zero trust. In February, the National Security Agency released the Embracing a Zero Trust Security Model, which is a reasonable explanation of the Zero Trust Principles, including a Zero Trust Maturity Model, to help implementers assess their adoption efforts.

The common one Defense Information Systems Agency and National Security Agency zero trust engineering team is creating the Department of Defense Zero Trust Reference Architecture, due to be released shortly, providing guidance to the entire DOD on implementing zero trust architectures. According to a recent survey, the acceptance of zero trust architectures is increasing. Almost half of all federal authorities do not accept trust and interest is growing. Former DISA deputy administrator Nancy Norton said in December that the Department of Defense is accelerating its shift to zero trust as the rise in teleworking due to COVID-19 creates a greater target for adversaries.

The administration’s TMF funding proposal could be an excellent opportunity to accelerate the adoption of zero trust architectures.

Hackers can infiltrate an agency’s network through an outside party that has access to the agency’s systems and data. This happened during the most recent cyber attack on IT provider SolarWinds.

In a blog post, NIST states: “Security gaps in the cyber supply chain – actually a complex network of connections instead of a single strand – do not only affect microchips and their internal code but also the support software for a device and the other companies that do so have access to its components. Put them all together and it can be a daunting task to anticipate any systemic weaknesses an adversary might take advantage of. “

It is important for federal agencies to gain insight into their digital interactions in the supply chain and to regularly examine them for security vulnerabilities in order to track all paths that a hacker might be exploiting. In this way, the agencies can better identify risks and react quickly if an intervention occurs. In order to support the industry, in recent years the government has provided detailed guidelines for assessing risk management in the cyber supply chain.

In an update to the Cybersecurity Framework from April 2018, NIST has a new section on risk management in the supply chain added. NIST followed suit in February and published NISTIR 8276, “Key Practices in Risk Management in the Cyber ​​Supply Chain: Industry Observations”. This provides the industry with guidelines for implementing risk management for the cyber supply chain.

The NIST Cybersecurity Framework, which was published during the Obama administration in 2014 and revised during the Trump administration in 2018, contains a number of standards, guidelines and best practices for managing cybersecurity risk.

The framework can be a bit difficult to digest at first, but it is helpful in helping critical infrastructure operators identify, assess, and manage cyber risks, and to explore opportunities for improvement . Appendix A, Table 2 is probably the easiest way to get the gist of the document. It can be downloaded as an Excel spreadsheet from the NIST Cybersecurity Framework website.

In addition, NIST released SP 800-172, a supplement to SP 800-171 Rev. 2, with recommendations for advanced security requirements that businesses can use to provide high quality Protect assets and information in critical programs.

Certifications provide verifiable security compliance for various products. When the federal government procures products, compliance with certifications provides a basic level of security convenience.

The government implements three primary certification programs that affect the security of IT / network and cloud products and services: the cryptographic validation program NIST modules, the National Information Assurance Partnership (NIAP) protection profiles for common criteria, and the Federal Risk and Authorization Management Program (FedRAMP). .

The validation program for cryptographic modules FIPS 140-2 and 140-3 validates the implementation of cryptographic algorithms at various compliance levels. NIAP protection profiles define a number of security functional requirements for different types of products (VPN gateways, network devices, firewalls, etc.). FedRAMP offers different levels of security for cloud products and services based on a standardized approach to security assessment, authorization, and continuous monitoring.

It takes a lot of time and effort to get certifications under these programs, but they provide government a high level of assurance that the certified products meet acceptable security implementation levels.

As these four pillars show, there are many resources to improve network security within and in partnership with the federal government. While there are no easy answers to improving cyber defense in the US, much remains to be done. However, there is an excellent framework that agencies and other organizations can use for a solid cybersecurity strategy.

VMware Tanzu can help agencies innovate faster