That’s according to new guidance signed out by Homeland Security Secretary Alejandro Mayorkas on June 14. The document lays out priorities over the next two years for sector risk management agencies. SRMAs are responsible for overseeing the security of specific critical infrastructure sectors.

“From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Mayorkas said in a statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work.

The memo follows on the heels of a national security memorandum signed by President Joe Biden earlier this year. The memo seeks to expand federal oversight of the critical infrastructure sectors. It specifically directed SRMAs to develop new sector risk management plans in the coming year.

China, AI and space

In his memo this week, Mayorkas highlights “cyber and other threats” posed by China as a key priority risk area. U.S. officials earlier this year said Chinese hackers had breached the networks of multiple U.S. critical infrastructure networks.

“Attacks targeting infrastructure essential to protect, support, and sustain military forces and operations worldwide or that may cause potential disruptions to the delivery of key goods or services to the American people must be our top priority,” the memo states. “Leveraging timely and actionable intelligence and information and adopting best practices for security and resilience, SRMAs, critical infrastructure owners and operators, and other SL TT and private sector partners shall devise and implement effective mitigation approaches to identify and address threats from the PRC, including plans to address cross-sector and regional interdependencies.”

It also encourages agencies to work with their respective sectors to mitigate risks posed by artificial intelligence and emerging technologies. Mayorkas also highlights the need to address climate risks, supply chain vulnerabilities, and a growing reliance on space systems, respectively.

Critical infrastructure ‘resilience’

Meanwhile, the memo also highlights several specific mitigation strategies that SRMAs should work into their plans. It specifically states SRMAs should work with critical infrastructure owners and operators to “develop and adopt resilience measures, anticipate potential cascading impacts of adverse incidents, and devise response plans to quickly recover from all types of shocks and stressors.”

“While we cannot keep determined advanced persistent threats or ransomware actors completely at bay or prevent severe weather occurrences, we can minimize the consequences of incidents by understanding critical nodes, assessing dependencies within systems, and developing plans to ensure rapid recovery,” Mayorkas writes.

Furthermore, the memo continues the Biden administration’s push to set minimum cyber standards across critical infrastructure sectors.

“Individual critical infrastructure owners and operators must be encouraged by SRMAs and, where applicable, held accountable by regulators for implementing baseline controls that improve their security and resilience to cyber and all hazard threats,” the memo states. “Establishing minimum cybersecurity requirements as part of these efforts to secure critical infrastructure also aligns with the 2023 National Cybersecurity Strategy.”

Mayorkas points to the Cybersecurity and Infrastructure Security Agency’s Cyber Performance Goals, as well as the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, as models for cyber protection standards.

“DHS will work with SRMAs, regulators and private sector entities to ensure that baseline requirements are risk informed, performance-based and to the extent feasible, harmonized and to develop tools that support the adoption of such requirements,” Mayorkas adds.

The memo also encourages agencies to incentivize shared service providers to adopt stronger security measures. And it highlights the need to “identify areas of concentrated risk and systemically important entities.”

The post DHS names China, AI, cyber standards as key priorities for critical infrastructure first appeared on Federal News Network.

Comprehensive data management is key to unlocking seamless, personalized and secure CX for government agencies. Real-time data empowers informed, rapid decision-making, which can improve critical, high-impact federal services where time is of the essence, such as in response to a natural disaster. Alarmingly, only 13% of federal agency leaders report having access to real-time data, and 73% feel they must do more to leverage the full value of data across their agency.

While some agencies are making progress in their IT modernization journeys, they continue to struggle when it comes to quickly accessing the right data due to numerous factors, from ineffective IT infrastructure to internal cultural barriers.

Actionable intelligence is paramount. The ultimate goal is to access the right data at the right moment to generate insights at “the speed of relevance,” as leaders at the Defense Department would say. To achieve the speed of relevance required to make real-time, data-driven decisions, agencies can take steps to enable quicker access to data, improve their data hygiene, and secure their data.

How to effectively intake and store troves of data

From a data infrastructure perspective, the best path to modernized, real-time deployment is using hyper automation and DevSecOps on cloud infrastructures. Many federal agencies have begun this transition from on-premises to cloud environments, but there’s still a long way to go until this transition is complete government-wide.

Implementing a hybrid, multi-cloud environment offers agencies a secure and cost-effective operating model to propel their data initiatives forward. By embracing standardization and employing cloud-agnostic tools for automation, visibility can be enhanced across systems and environments, while simultaneously adhering to service-level agreements and ensuring the reliability of data platforms. Once a robust infrastructure is in place to store and analyze data, agencies can turn their attention to data ingestion tools.

Despite many agency IT leaders utilizing data ingestion tools such as data lakes and warehouses, silos persist. Agencies can address this interoperability challenge by prioritizing flexible, scalable and holistic data ingestion tools such as data mesh. Data mesh tools, which foster a decentralized data management architecture to improve accessibility, can enable agency decision-makers to capitalize on the full spectrum of available data, while still accommodating unique agency requirements.

To ensure data is accessible to decision-makers, it’s important that the data ingestion mechanism has as many connectors as possible to all sources of data that an agency identifies. Data streaming and data pipelines can also enable real-time insights and facilitate faster decision-making by mitigating manual processes. Data streaming allows data to be ingested from multiple systems, which can build a single source of trust for analytical systems. Additionally, these practices limit data branching and siloes, which can cause issues with data availability, quality and hygiene.

Data hygiene and security enable transformative benefits

Data hygiene is imperative, particularly when striving to ethically and accurately utilize data for an autonomous system like AI or ML. A robust data validation framework is necessary to improve data quality. To create this framework, agencies can map their data’s source systems and determine the types of data they expect to yield, but mapping becomes increasingly arduous as databases continue to scale.

One critical success factor is to understand the nature of the data and the necessary validations prior to ingesting the data into source systems. Hygiene can be improved by consuming the raw data into a data lake and then, during conversion, validate the data’s quality before applying any analytics or crafting insights.

In addition to data hygiene, data security must remain a top priority across the federal government as agencies move toward real-time data insights. Adopting a hybrid, multi-cloud environment can lead to a stronger security posture because there are data encryption capabilities inherent in enterprise cloud environments.

Agencies may consider using a maturity model to help their teams assess data readiness and how they are progressing in their cybersecurity frameworks. A maturity model lets agencies identify and understand specific security gaps at each level of the model and provides a roadmap to address these gaps. Ultimately, the cybersecurity framework is as essential as data hygiene to ensure agencies can harness data reliably and efficiently.

When agencies have data management solutions that reduce the friction of navigating siloed government systems and enable faster, more secure collaboration, it enables them to drive innovation. This is especially true for agencies that handle extensive amounts of data. For example, many High Impact Service Providers (HISPs) must manage vast amounts of citizen data to provide critical, public-facing services with speed and scale.

Data is the foundation for modern digital government services. Once data is ingested, stored and secured effectively, the transformational potential of emerging technologies such as AI or RPA can be unlocked. Moreover, with real-time data insights, government decision-makers can use actionable intelligence to improve federal services. It’s essential that agency IT leaders invest in a robust data management strategy and modern data tools to ensure they can make informed decisions and benefit from the power of AI to achieve mission-critical outcomes for the American public.

Joe Jeter is senior vice president of federal technology at Maximus.

The post Robust data management is key to harnessing the power of emerging technologies first appeared on Federal News Network.

The work is being led out of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). It comes amid growing concerns about hackers infiltrating U.S. critical infrastructure, including the electric grid.

Puesh Kumar, the director of CESER, said “traditional large fossil generation” is often prohibited by regulations from using the cloud. But he said renewable energy providers are often starting out by relying on cloud computing.

“But really, we haven’t really sat down to define what are the security requirements? Who owns what part of the security picture? Is that the owner and operator? Or is it the cloud service provider?” Kumar said during a cybersecurity panel discussion hosted by Semafor in Washington on Tuesday.

“One of the big efforts that we’re going to be undertaking this year is really bringing together companies like [Google], to actually come together and establish those requirements for both sides, so that we can set up the energy sector of the future with that security built in,” Kumar added.

The CESER office is tasked with addressing emerging threats to energy infrastructure, including cyber risks, climate change and physical security. CESER is leading several initiatives to secure new energy technologies from cyber threats. Those programs are funded as part of the $27 billion Congress provided the Energy Department to modernize the electric grid in the 2021 Infrastructure Investment and Jobs Act.

Kumar said the energy sector is going through “tremendous change” right now.

“We’re trying to combat the climate risk,” he said. “We’re trying to deploy more clean energy. We’re trying to deploy more renewables and electric vehicles and all that’s really great. And that can be a source of resilience in our energy sector in the United States. It can bring online more generation that hasn’t been online into our grid. But we also have to do that with security in mind. And so, as we’re fundamentally changing this grid, we have to ensure that security is baked into it.”

In addition to cyber threats targeting the electric grid, policymakers are also focusing more on the so-called “shared responsibility model” that lays out the cybersecurity responsibilities of cloud providers and their customers. The security responsibilities of cloud providers has come under particular scrutiny in the wake of China’s hack into Microsoft’s cloud email infrastructure last year.

Jeanette Manfra, global director for security and compliance at Google, argued large cloud providers can make security “cheaper and easier” for their customers. Manfra is a former Cybersecurity and Infrastructure Security Agency official.

“There’s a huge opportunity to leverage that scale, and to drive cloud providers to increase that level of security and safety and reliability,” Manfra said during the Semafor event. “I do believe it is the responsibility of cloud providers, particularly the largest ones, who are increasingly serving more and more critical infrastructure sectors, to have that high bar of security and safety. But there’s also risk because you start to consolidate on just a few companies. And so you have to think about what does that mean, that concentration risk? You have to think from a policy perspective of how you both leverage that opportunity, while also managing that potential concentration risk.”

The post Energy working with renewables industry, cloud providers on cyber requirements first appeared on Federal News Network.

Under the ongoing federal “zero trust” push, data is often considered one of the most important but least mature area for federal agencies.

The Cybersecurity and Infrastructure Security Agency (CISA), which maintains the “zero trust maturity model” that serves as a roadmap for agencies, is also working to better understand, protect, and connect its cybersecurity data, according to Grant Dasher, architecture branch chief within the office of the technical director at CISA.

“Data is one of the areas of the zero trust transition that probably has gotten a little bit less attention, but that’s not because it’s not critically important,” Dasher said on Federal News Network. “We do think it’s critically important.”

Dasher said one of his big jobs is to help CISA’s cybersecurity teams gain an understanding of the agency’s internal data holdings. That work is critical to programs like Continuous Diagnostics and Mitigation (CDM), which provides cybersecurity services and dashboards to the entire federal civilian executive branch.

“We are applying strong security controls to the data that we steward, and making sure that we understand it and connect it between different parts of the mission, so that they can make effective use of it,” Dasher said.

CISA’s chief data stewards

To help address the data challenge, Dasher said CISA has identified “chief data stewards” who are responsible for managing specific datasets across the agency. Those responsibilities include identifying the metadata characteristics that are necessary to both share and protect the information in question.

“We think developing that understanding is critical, because then on top of that, you can put in place data governance controls,” Dasher said. “You can say, ‘Okay, well, this person is the data owner, or the data steward. And so this is the person who should be able to approve, for example, access requests to that data by other parts of the organization’.”

CISA’s zero trust support

Combining data access controls with strong identity governance is a key aspect of moving away from perimeter-based cybersecurity and toward a zero trust architecture.

Within the CDM program, CISA has made a major investment in Endpoint Detection and Response (EDR) tools that agencies are adopting as part of the zero trust push. Dasher said CISA has also helped some smaller agencies with identity security. And the cyber agency is also helping agencies adopt its Secure Cloud Business Applications (SCuBA) guidance.

Ultimately, though, Dasher said there’s no one-size-fits all solution to improving data security across federal agencies. But he said its key for agencies to embrace established best practices in cyber risk management.

“There’s a natural tension here between enabling access to support the mission and providing security,” Dasher said. “We can’t let security become something that prevents the government from delivering services to its to its constituents. But we have to protect the data. And so finding how to triangulate that is really the crux of data protection.”

The post CISA looks to set the example for data stewardship under ‘zero trust’ push first appeared on Federal News Network.

In Congress, Democrats and Republicans alike frequently sponsor bills to invest more in STEM education and fill gaps in the cyber workforce. Meanwhile, the Biden administration is also implementing a widely supported national cyber workforce and education strategy.

But while everyone agrees there’s a gap, data on the U.S. cyber workforce is severely lacking compared to many other occupations. And as a new report shows, it’s often because official labor and education sources don’t yet reflect the changing landscape of cybersecurity work.

The Cybersecurity Workforce Data Initiative, authorized as part of the 2022 CHIPS and Science Act, aims to “assess the feasibility of producing national estimates and statistical information on the cybersecurity workforce.” The National Center for Science and Engineering Statistics, housed within the National Science Foundation, is leading the initiative.

In May, the CWDI released a report on “cybersecurity workforce supply and demand” led by RTI International, a nonprofit research institute.

The report lays out many of the challenges in obtaining granular, ground-truth data on the cybersecurity workforce, as well as some recommendations for addressing those problems.

For instance, one of the most commonly used guides for explaining cybersecurity work is the “NICE Framework,” maintained by the National Institute of Standards and Technology. Widely regarded as essential to understanding different cyber roles, the NICE Framework has not been translated to align with traditional federal labor data used by the Bureau of Labor Statistics or the Census Bureau.

“The NICE framework is not intended to be a prescriptive taxonomy. By our definition, and that within the NICE framework, cybersecurity does not fit easily into a single occupation code or title, and this presents a challenge to using existing labor market data,” Michael Hogan, one of the lead authors on the new repot, said during a June 10 workshop hosted by CWDI.

“In the absence of traditional data, administrative data providers have filled that gap,” Hogan added.

Those administrative providers include CyberSeek, a public-private partnership, that serves as one of the most commonly cited sources for cyber workforce data. CyberSeek currently estimates that there are nearly 470,000 open cybersecurity jobs across the country.

Another commonly referenced resource is ISC2’s cyber workforce study, which recently estimated there are 5.5 million cybersecurity workers and nearly 4 million job opening across the globe.

“These data and surveys are very valuable for capturing a subset of the workforce, but we believe that this data does not yet encompass the entire state of supply and demand for cybersecurity workers,” Hogan explained.

While many new pieces of legislation focus on increasing STEM education and expanding the pipeline of STEM graduates, the CWDI report notes that only 46% of college graduates in core cybersecurity positions had a degree that was closely related to their work.

“There is a lack of information about the knowledge, skills, and credentials required for cybersecurity work, the on-ramps into cybersecurity jobs, and the source of a potential mismatch between the work experience sought by employers versus the experience held by new graduates,” the report explains.

Part of the challenge is that cybersecurity is still a relatively new and evolving field. But yet another wrinkle is that while there are jobs that are clearly cybersecurity positions – information security analyst, for example – many other jobs could be considered cybersecurity-adjacent, as the CWDI report notes.

“We know that nearly every occupation today touches digital technology, and there are cybersecurity components to go along with it,” Hogan said. “This presents a challenge for us in putting a boundary around the cybersecurity workforce.”

The report offers a range of initial recommendations to better understand the cybersecurity workforce. It recommends, for instance, merging NIST’s NICE Framework with the Occupational Information Network, a public database sponsored by the Labor Department’s Employment and Training Administration.

It also recommends improving the Standard Occupational Classification to better reflect cybersecurity workers. The SOC is maintained by the Bureau of Labor Statistics and is used by federal agencies to classify workers into occupational categories.

Similar, the report recommends improving the Education Department’s Classification of Instructional Programs (CIP) to better capture cybersecurity schooling data.

Meanwhile, Hogan said CWDI will continue to collect data and feedback as it prepares to potentially launch a pilot survey of the U.S. cybersecurity workforce later this year.

Nearly Useless Factoid

By Michele Sandiford

The first known computer virus (worm) to replicate over a computer network (The Creeper worm) was created by BBN engineer Robert Thomas in 1971.

Source: Computer Timeline

The post NSF initiative aims to bring better data to the cyber workforce challenge first appeared on Federal News Network.

The post Expanding CISA’s zero trust role is smart: Here’s why first appeared on Federal News Network.

Employees have reported fraudulent FSAFEDS deductions in paychecks as recently as June 7, Federal News Network has learned. FNN could not confirm the number of employees who have continued to see fraudulent deductions. The FSAFEDS fraud was originally estimated to impact approximately “several hundred” employees.

The Office of Personnel Management operates the FSAFEDS program through a contract with HealthEquity, a third-party vendor.

HealthEquity referred all questions to OPM. An OPM spokesman said the agency was continuing to work with the HealthEquity “to secure impacted accounts, refund impacted individuals, and implement additional anti-fraud controls.”

OPM did not answer specific questions about further reports of fraud impacting the program. “At this time, there is no evidence that OPM or our vendors’ systems have been compromised in any way,” the spokesman said.

But agencies have continued to warn their employees about the potential for FSAFEDS fraud. In a June 13 notice, the Coast Guard alerted employees to OPM’s temporary pause in new FSAFEDS enrollments.

“Your vigilance is crucial in helping address this issue promptly and effectively,” the Coast Guard wrote in the alert. “FSAFEDS appreciates your cooperation and understanding and will continue to communicate any new updates with members in the coming days and weeks.”

The ongoing pause in the FSEFEDS enrollment function also applies to current employees who experience a qualifying life event (QLE), such as the birth of a child or a marriage. OPM said employees will be able to retroactively adjust their elections due to a QLE after the pause is lifted.

Employees can also submit claims for reimbursement while the pause is in effect.

John Hatton, vice president for policy and programs at the National Active and Retired Federal Employees Association (NARFE), said the situation was “obviously concerning.”

“The questions now are how OPM and federal agencies are going to identify all unauthorized deductions, and ensure every federal employee is made whole; and how quickly can OPM get FSAFEDs enrollments back up and running so this employment benefit remains available to federal employees,” Hatton said in a statement. “We’re thankful the OPM OIG has identified this problem, and hope law enforcement is able to identify and prosecute the individuals responsible for these fraudulent activities.”

FSAFEDS fraudsters used personal data

The FSAFEDS fraud stems from bad actors using federal employee information to either create fraudulent accounts or fraudulent reimbursement claims, according to one government source. The source said HealthEquity has been introducing new anti-fraud and security measures, including requirements to use Login.gov, which features multifactor authentication.

But Linda Miller, the founder CEO of Audient Group, LLC and former deputy executive director of the Pandemic Response Accountability Committee, questioned why OPM didn’t require HealthEquity to use stronger fraud controls in the first place.

“There needs to be really stringent identity theft-based fraud controls at the front end, and anybody that is administering a program like this should be expected to have a baseline level of those kinds of controls,” Miller said. “Anytime you’re dealing with a service that involves money being exchanged, [multifactor authentication] is the floor, not the ceiling, when it comes to anti-fraud controls.”

Miller said it’s easier than ever for fraudsters to leverage stolen personal data, including that of federal employees, that can be found for sale on the deep or dark web.

“In my experience with federal agencies, across the board with some exceptions, there’s not really a lot of attention on the possibility that fraud or identity theft could be happening,” Miller said. “The awareness of this issue is so small compared to the impact and the size of the problem.”

The post Some feds continue to see fraudulent FSAFEDS deductions first appeared on Federal News Network.

In fact, many lawmakers praised Smith for taking responsibility for the shortcomings identified in the report. Smith also described internal changes Microsoft is making under its “Secure Future” initiative, including efforts to implement many of the safety review board’s recommendations.

“The reality is you cannot protect the homeland security of this country without protecting the cybersecurity of it as well,” Smith said. “And that is a shared responsibility between the public and private sectors, and hence, what you do to oversee us and others in the private sector is critical. I think the most important thing for me to say, the most important thing for me to write in my written testimony, is that we accept responsibility for each and every finding in this CSRB report.”

The report, issued in April, found a “cascade of Microsoft’s avoidable errors” led to Chinese hackers breaking into the emails of high-level government officials, including Commerce Secretary Gina Raimondo, last summer.

“The board finds that this intrusion was preventable and should never have occurred,” the report stated. “The board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

While lawmakers asked Smith a garden variety of questions about the report and other issues, here are four key moments from the hearing.

Criticizing the CSRB process

While being questioned by Rep. Marjorie Taylor Greene (R-Ga.), Smith took the opportunity to hit back at the Cyber Safety Review Board itself. He specifically pointed to the presence of Microsoft’s competitors on the board.

“I think it’s probably a mistake to put on the board people who work for competitors of, say, a company that is the subject of a review,” Smith said. “The spirit of this, when it was created was to create a community of people who could learn together. But I’m less concerned about the way the process worked, and I just worry that where people want to take it in the future and just make hay out of other’s mistakes. And I’m just not sure that’s going to do us that much good.”

The review board includes a mix of government and private sector officials. Its chairman is DHS Under Secretary for Policy Robert Silvers, while the deputy chairwoman is Heather Adkins, vice president for security engineering at Google.

However, the CSRB notes that members who may have a potential conflict of interest with a particular review topic will be recused. And the Microsoft report does not list Adkins, nor any other direct representatives from Microsoft’s competitors, as being one of the members who participated in the review.

Still, Smith suggested other companies may not participate as willingly in a CSRB review due to how Microsoft’s competitors have pounced on the board’s latest findings.

“We are not adversaries with each other, even though we may compete with each other,” Smith said. “The adversaries are our foreign foes. So let’s try to exercise a little self restraint about how we work in these processes, because I don’t think that the next company that gets an invitation from the CSRB is likely to be necessarily as willing as we were to share everything, which we did.”

Smith’s comments come as Congress considers formally authorizing the board into law. It was created at the direction of President Joe Biden’s May 2021 cybersecurity executive order.

State Department praise

In the midst of last summer’s hack, it was State Department personnel who first uncovered evidence of the intrusion.

“You always want to be the first in life,” Smith said when asked if Microsoft should have detected the attack first. “But on the other hand, I have to say, especially given the nature of networks and how they’re distributed and different people see different things, mostly, I just want to celebrate the fact that people are finding different things, and we’re sharing them with each other.”

The State Department was able to uncover the hack because the agency paid for Microsoft’s premium audit logging services. Some members of Congress had been calling for Microsoft to provide logs for free after the 2020 SolarWinds incident.

But after last summer’s hack, Microsoft committed to retaining its customer security logs for up to six months, while providing access to them without charging extra. In February, it began making those logs available to federal agencies at no additional cost.

“I wish we had moved faster and had gone farther,” Smith said when asked why the company hadn’t done that sooner. “I think there was a focus on the real costs associated with keeping and retaining logs. But we should have recognized sooner, especially as the threat landscape changed, that we would be best served I think as we are now by not just retaining but providing these logs for free.”

Microsoft commitments

Meanwhile, House Homeland Security Committee Ranking Member Bennie Thompson (D-Miss.) said today’s discussion “is just the beginning of ongoing oversight to ensure that the technology products used by the federal government are secure and that federal vendors take the security obligation seriously.”

Thompson also asked Smith to commit to being transparent with its customers, especially within government, about vulnerabilities in its IT products, including cloud services.

“The answer is ‘yes,’” Smith responded. “And the only qualification I would offer is we need to do it in a way where we share information with the right people in the right governments, and then do it in a way that it doesn’t make that same sensitive information available to our adversaries. So I’m sure we can do that.”

Smith also committed to being transparent with its customers about the company’s investigations into cyber incidents, as well as to releasing benchmarks and time frames for implementing the CSRB’s recommendations.

Market dominance

Throughout the hearing, lawmakers also touched on Microsoft’s dominant footprint across government and critical infrastructure IT networks.

Smith said Microsoft accounts for about 3% of the annual federal IT budget.

“I know that the U.S. government has many choices when it comes to cybersecurity services,” Smith said when asked about Microsoft’s share of government IT contracts. “And I think it takes advantage of them. And we’re one of them. I don’t frankly know how we compare to some of the others.”

Meanwhile, Smith said Microsoft’s global government business likely accounts for less than 10% of its annual revenues.

“We love the federal government,” Smith said. “It is a big customer. It’s one of our biggest and it’s the one that we’re most devoted to, but it’s not the big source of our revenue.”

Some lawmakers recently expressed concern about the federal government’s reliance on Microsoft. Sen. Ron Wyden (D-Ore.) has authored draft legislation he said would end the government’s reliance on big technology companies, but no other lawmakers have signed onto that effort so far.

And during today’s House Homeland Security Committee hearing, none of the members referenced any ongoing work in Congress to address the CSRB report and its recommendations.

“Microsoft is a great company,” Rep. Clay Higgins (R-La.) said. “Everybody in here has some kind of interaction with Microsoft. We really don’t have much choice.”

The post Four key highlights from the Microsoft cybersecurity hearing first appeared on Federal News Network.

We cannot wait for security controls to fail

What is known to be true is that security controls will fail, and that all software has vulnerabilities and known common vulnerability exposures (CVE) that can be exploited, as well as a significant amount of common weakness enumerations (CWE) that could expose vulnerabilities in software. As a result, keeping a pulse on how these security controls perform and the active threats targeting the organization with continuous monitoring is imperative for elevating visibility and being more responsive to cyberattacks. To keep pace with threat actors’ activities, organizations cannot fail in elevating their visibility around threat actors’ behaviors and activities.

Elevating visibility must be the constant and stabilizer in disrupting threat actors. This means formalizing a threat-informed defense approach that leverages global adversary signals and early warning capabilities to peer into imminent and likely threats targeting the organization. Most organizations are detecting threat activity too late in MITRE’s adversarial tactics, techniques and common knowledge (ATT&CK) lifecycle due to the lack of visibility. This reactive security posture plagues many organizations and creates ample dwell time for threat actors to gain a foothold, find sensitive data and exfiltrate it.

To the left, to the left

Now is the time to shift to responsive approaches where elevating visibility anchors disrupts threat actors. It is important to establish clear lines of visibility left of initial access and peer into reconnaissance and resource development activities performed by threat actors. To disrupt threat actors, organizations must gain visibility into reconnaissance and resource development activities before threat actors are able to gain a foothold into the environment. These activities provide signals that can be used to hunt for threat actors’ activities and establish the ability to identify warnings of attack (WoA) and warnings of compromise (WoC).

Active and actionable threat intelligence

WoAs are inbound global adversary signals that indicate in near time an adversary attack or compromise on critical mission assets and resources. WoA is based on a high-fidelity machine analysis of far-space telemetry, such as covert operations, honeypots, border gateway protocol (BGP) data and threat intelligence to provide early warning detection of imminent attacks targeting an organization. Threat actors have been leveraging reconnaissance for targeted attacks into organizations (as seen with the MITRE Ivanti cyberattack) given the amount of breach data on the dark web and a wealth of personal information people share on their social media sites, as well as the rise of artificial intelligence in threat actors’ arsenal to accelerate and fine tune their offensive campaigns. Things like spear phishing can be tailored to look real and legitimate, as if it is coming from people you trust and know like family and friends. As threat actors spin up infrastructure leveraging cloud resources to mimic an organization’s domains and launch phishing attempts, gaining visibility into these activities is essential for formalizing early warnings capabilities.

WoCs are outbound signals from assets and resources that indicate suspicious communication and demonstrate compromised behaviors. WoC is based on adaptive risk profiling and contextual analysis to identify and monitor communication pathways to known infrastructure controlled by adversaries or infrastructure supporting compromised assets and resources. This allows organizations to detect C2, botnet activity, data exfiltration attempts, and ransomware behavior and activities associated with emerging threats. Using global adversary signals pinpoints threat actors’ campaigns that allow organizations to hunt for those signals without having an obvious indicator of compromise (IoC) to look for. Today’s threats are stealthier and are designed to evade cyber defenses; WoC provides a way to elevate visibility against changes and improvements in threat actors’ tradecraft.

Visibility cannot fail

While threat intelligence is good to formalize and leverage in operational environments, it is typically based on what has already happened, things that are in the wild. Responsive cyber defense calls for actionable threat intelligence, based on global adversary signals that warns of imminent and impending cyberattacks – what is happening, based on what has already happened in the past. Evolving the state of practice from hunting IoCs and indicators of attack, to hunting for signals leveraging WoA and WoC capabilities is essential for formalizing responsive cyber defense. This will put organizations in a better position to anticipate, adapt and evolve against threat actors’ capabilities.

Security controls will fail; visibility cannot. Hunt, or be hunted.

Kevin Greene is public sector expert at OpenText Cybersecurity.

The post Elevating visibility: The stabilizing force in responsive cyber defense first appeared on Federal News Network.

The Army tackled one of its toughest challenges: Creating a common operating picture for all of its allied partners.

The recent Yama Sakura 85 exercise demonstrated how the Army, the Australians and the Japanese could securely share information by using an architecture based on zero trust principles.

Col. Rett Burroughs, the chief information officer & G6 for the Army’s I Corps, said over the course of the 10-to-12 day training event last December, the Army successfully brought their allied leaders onto a single and secured network at the tactical edge.

“What we are looking at is properly being distributed across the entirety of the Pacific. We could have a command and control node anywhere in Australia, Thailand, Philippines, Japan, Korea, Hawaii, Guam or Alaska, and back here at Joint Base Lewis McChord, Washington so that now every node has roles and responsibilities. How do we ensure that conductivity happens across all of those different nodes that are very disparate and spread out? And then how do we leverage the technology of transport to ensure that we’re getting applications all the way to the edge?” Burroughs said on Ask the CIO. “We spent months preparing to ensure we had right safeguards in place. In its simplest form, in the application for the warfighter, which is definitely my area of concern, it brought the Australians and the Japanese together because before it was the Australians and the Americans, and then it was the Americans and the Japanese. The Australians couldn’t be in the same Tactical Operations Center as the Japanese. Now we have the ability for the first Australian division commander to talk directly with senior generals from the Japanese Ground Force Command.”

Burroughs said in previous exercises, the Americans and Australians would talk, and then the Americans and Japanese would talk, with the Army acting as the “go-between” for the Australians and Japanese. And Burroughs readily admits everyone knows what happens when you play the game of telephone.

“Our goal here was to establish one common operating picture and the ability to voice video chat, and share specific information,” he said. “The application of this proved critical in the ability for staff to make informed recommendations, and for commanders to make informed decisions. We weren’t just slinging all this data just because commanders need and want everything.”

Broader application than just the Army

The success of the Yama Sakura 85 exercise proved this shared network and zero trust concept for more than just the Army, but any federal organization can take the basic concepts to create a common operating picture.

John Sahlin, the vice president of cyber solutions for General Dynamics-IT, which supported the Army with integration expertise, said these same approaches could help agencies such as FEMA, which has to create shared networks to help cities or states recover from disasters.

“I’ve been fascinated by this problem set ever since I deployed for the Hurricane Katrina relief efforts back about 15 years ago. We started thinking about a military mission for that humanitarian assistance effort and it turned very quickly into an interagency and even local government support mission,” Sahlin said. “We had good communications. We had a good sight picture. We had good mapping data, which nobody else in the area did. We had to quickly share that data with first responders, the local hospital, the parish sheriff, non-government organizations like the Red Cross. I think that these are lessons of zero trust at the tactical edge for information sharing to inform that on scene commander, are lessons that can be learned, not only for the military at the tactical edge, but for any organization that has field-deployed, forward-deployed organizations that need to share data to execute a mission rapidly and make those changes dynamically with first responders with interagency support, things like that.”

Burroughs added this approach of creating a distributed network supported by zero trust tools isn’t just important for the tactical edge, but for Army commanders in garrison or commands who have to coordinate with the National Guard or local first responder communities or anyone outside of the service.

“Now we don’t have to have these disparate networks that do not talk to each other because of classification and policy, which you clearly went through during the Katrina catastrophe,” he said. “Now what we’re doing is we’re taking need to figure this out on the fly out during a catastrophe. We’re actually getting ahead of it now by addressing it before the next catastrophe. So when something does come in competition or crisis, we’re actually able to deal with it in a methodical way instead of reacting.”

Shift toward data-centricity

In many ways what Burroughs and Sahlin are describing is how the Army, and really every agency, must be more of a data-centric organization.

Lt. Col. Roberto Nunez, the chief of signal services support for Army I Corps, said the implementation of zero trust capabilities forces the end users to shift that data culture because they have to tag and label information much more specifically and consistently.

“You can say ‘all right, here’s all my data that I want to share, all my users that are also tagged and labeled as well as what they’re authorized to use and what they cannot use. Therefore, you can plug in with other mission partners to share that information and you can create that common environment moving forward, whether it’s joint coalition, at least from a DoD point of view,” he said. “If you want third parties to join in, whether it’s corporate America, academics, other organizations or other government agencies, you can do that if everything’s data-centric, labeled and tagged accordingly. This is what is great about zero trust.”

Burroughs said planning for the next Yama Sakura 87 exercise in December already is underway. But he said these capabilities aren’t turned on during the exercise and then turned off. The network is always on and therefore the Army is always iterating how to make secure information sharing better, faster and easier.

Chief Warrant Officer 4 Phil Dieppa, a senior services engineer for Army I Corps, said what the Yama Sakura 87 exercise and other demonstrations have shown the service that the “come as you are” model works because of the zero trust capabilities.

“The great thing about zero trust is that we don’t trust anything until we explicitly have that conversation and say that ‘I trust you.’ Once we do that, then we can start communicating and making those services available one at a time,” he said.

The post How the Army is always testing, training on zero trust first appeared on Federal News Network.

The Cybersecurity and Infrastructure Security Agency’s “secure by design” pledge might be voluntary. But CISA is hoping customers will help drive the demand for companies to follow through and adopt stronger cybersecurity practices.

CISA announced the pledge in May, with an initial 68 technology companies signed onto the commitments. That number has more than doubled to 140 companies over the last month. Lauren Zabierek, senior advisor in CISA’s cybersecurity division, said the goal is to catalyze action by some of the largest technology companies.

“We really think that this is such a key moment, because these companies are publicly taking ownership of their secure their customers’ security outcomes, which is principle number one in secure by design,” Zabierek said in an interview.

CISA released the initial “secure by design” white paper last April. It has since released several updates. The pledge distills those principles into seven specific goals companies will commit to pursuing within one year of signing. Some of the goals include expanding the use of multifactor authentication, increasing the installation of security patches, and reducing entire classes of vulnerabilities, such as SQL injection.

The voluntary pledge is based on “good-faith” efforts of the companies, rather than any requirements or regulations. “We are not the enforcer of the pledge,” Zabierek noted.

But CISA hopes the public commitments will also lead companies to embrace “radical transparency,” another tenet of “secure by design.”

“We’re hoping that the company’s customers as well as the public and even civil society will be able to evaluate those actions taken,” Zabierek said. “And combining that together, this increased radical transparency . . . will help to shift that market to make sure that security is a core differentiator among products.”

While many technology companies compete on software features and cost, CISA believes the pledge could help demonstrate a “first mover advantage” on security, Zabierek said.

“Even to innovate on security,” she added. “We’ve had heard in the past, ‘These things may harm innovation?’ Well, what if we flipped that on its head? And we started to innovate on security? And then of course customer trust. Companies can build up the trust of their customer base by having more quality products. We think that security and quality are very much related to each other.”

Secure software push

CISA this year is also focusing on “secure by demand” guidance for the customers who buy technology products and services. Zabierek noted federal agencies can help drive the demand for secure products. This month, agencies began collecting “secure software development attestation forms” from third-party software vendors. The form, which was developed by CISA, identifies the minimum security requirements for software used by the government.

Earlier this year, CISA also joined the “Minimum Viable Secure Product” working group. The MVSP is intended to identify key security questions that customers should be asking when buying and using software.

“As we develop that secure by demand approach — which I think will be informed by that minimum viable secure product set of controls — our goal is really to be very, very simple here,” Zabierek said. “Asking the right questions. For example, what could happen with data if a certain control isn’t met?

Making it so that people without a lot of security experience, can still ask that question and understand how the product works.”

Meanwhile, with 140 companies having signed the pledge so far, CISA is urging more technology companies join the initiative.

“We think this is really powerful, because we’re going to learn a lot from each other and we’re going to share information and best practices,” Zabierek said. “And we’re going to continue to really drive progress and momentum forward here.”

The post CISA sees customers as key to ‘secure by design’ pledge first appeared on Federal News Network.

• The number of cybersecurity incidents in 2023 grew by almost 10%. Agencies reported more than 32,000 cyber incidents to the Cybersecurity and Infrastructure Security Agency in fiscal 2023. The latest Federal Information Security Modernization Act (FISMA) report to Congress from the Office of Management and Budget showed an increase from more than 29,000 cyber incidents from the year before. Of those 32,000 incidents, 38% — or more than 12,000 — were due to improper usage, which means someone violated an agency's acceptable use policy. The second biggest attack vector, once again, was email phishing, which saw more than a 50% increase in 2023 as compared to 2022. The good news, OMB said, is 99% of all incidents in 2023 were considered "unsubstantiated or inconsequential event[s]."
  (Most cyber events in 2023 were 'unsubstantiated or inconsequential,' OMB says - White House )
• Federal office space remains a top priority for the General Services Administration to address. GSA has started taking steps to address the challenge of federal office holdings. But the Government Accountability Office said GSA needs to make a full plan of action to help agencies fix their underutilization of office space. Managing office space post-pandemic has been on GAO’s list of the top priorities for GSA to address since 2022. GAO said its recommendations could help agencies make better post-pandemic decisions for potential changes to their real estate holdings.
  (Priority open recommendations: General Services Administration - Government Accountability Office)
• The House Armed Services Committee’s bipartisan proposal to require the Defense Department to study the establishment of a cyber force is bringing back a long-running debate over the U.S. Cyber Command’s organizational challenges. The measure in the House Armed Services Committee’s version of the 2025 defense policy bill seeks an independent study of establishing a separate armed force dedicated to cyber. If passed, the measure would require the Defense Department to enter into an agreement with the National Academy of Sciences to conduct the evaluation. The provision has a “prohibition against interference,” which prohibits the Defense Department’s personnel from interfering or exerting influence to alter the findings of the National Academy of Sciences. If passed, the Academy will have nine months to complete the study.
  (House lawmakers seek independent study on separate cyber force - Federal News Network)
• A new playbook will help agencies set up neurodiversity programs. The "Neurodiversity@Work Playbook Federal Edition" includes best practices and addresses key questions for agencies. The playbook was release in May by the University of Washington, MITRE and D.C.-based nonprofit Melwood. Its authors say the playbook can help agencies be more inclusive for people with autism and other neurodivergent conditions. It builds on pilot programs started by the National Geospatial Intelligence Agency and the Cybersecurity and Infrastructure Security Agency.
  (Federal neurodiversity playbook pushes inclusive hiring, retention practices - Federal News Network)
• New legislation in the House would prohibit the Department of Homeland Security from buying batteries made by six Chinese companies. Sponsors of the bill said it will help decouple the U.S. supply chain from a geopolitical adversary. The ban would go into effect on October 1, 2027. China produces about 80% of the world’s batteries, including about 70% of all lithium-ion batteries. The new legislation would give the secretary of homeland security the power to waive the prohibition if there are no viable alternatives.
  (Chairman Giminez, Green, Plfuger, Moolenaar introduce bill to ban DHS from procuring batteries manufactured by six PRC-aligned companies - House Homeland Security Committee)
• The government’s inventory of federal retirement claims is at its lowest level in eight years. The Office of Personnel Management currently has about 14,000 pending claims from retiring feds. That is the lowest number that OPM has seen since May 2016. But it is still about 1,000 claims above OPM’s goal of having 13,000 claims in its hands at any given time. OPM also received slightly fewer new retirement claims during May than it did in April.
  (OPM retirement claims backlog at lowest level since May 2016 - Federal News Network)
• The Pentagon has a new series of “overlays” meant to help Defense components adopt zero trust approaches to cybersecurity. A new document published last week laid out how existing security controls — the National Institute of Standards and Technology 800-53 series DoD components already use — map onto the “pillars” DoD defined in its zero trust strategy last year. Defense officials said it is likely that most system owners have already implemented most of those controls, but the new overlays will help them identify the gaps between their current posture and zero trust.
  (DoD Zero Trust Overlay - Department of Defense)
• U.S. Cyber Command is standing up a new program executive office to support its Joint Cyber Warfighting Architecture (JCWA). The command launched the effort five years ago to consolidate disparate systems across the military services into one single platform. The JCWA currently encompasses six programs of record across the military services. This year, the command is working to get more acquisition authority over program management shops within the services. CYBERCOM also wants to reduce redundancy, including reducing the number of software factories that are delivering capabilities for the JCWA.
  (CYBERCOM standing up new PEO, seeks to get more acquisition authority for JCWA - Federal News Network)
• The Energy Department has given agencies another tool to get federal buildings to reach net zero emissions by 2045. DoE recently published the National Definition of a Zero Emissions Building, which will become the standard for federal leases beginning in 2030. Through the new standards, agencies have criteria to determine that a building generates zero emissions from energy use in building operations. The new definition follows several other policy and standards efforts by DoE to meet the Biden administration's federal sustainability plan. In late April, the Energy Department also finalized a rule requiring agencies to phase out fossil-fuel usage in new federal building construction or major renovation by 2030.
  (Energy Dept. finalizes new net zero emissions standards for federal buildings - Energy.gov)

The post Agency cybersecurity incidents grew by almost 10% last year first appeared on Federal News Network.

The amendment, introduced by Reps. Morgan Luttrell (R-Texas) and Chrissy Houlahan (D-Pa.), seeks an independent study of establishing a separate armed force dedicated to cyber, including an evaluation of how it would compare in performance and efficacy to the current organizational approach for CYBERCOM.

If passed, the measure would require the Defense Department to enter into an agreement with the National Academy of Sciences to conduct the evaluation.

CYBERCOM, launched over a decade ago, has struggled to grow its cyber workforce necessary to counter ever-growing cyber threats. The command has historically relied on the military services to provide digital personnel, which has led to readiness issues since the services run their own recruitment and training systems for their cyber operations and digital warriors tend to have inconsistent knowledge and experience when they are sent to CYBERCOM.

The Foundation for Defense of Democracies recently released a report urging the Pentagon to establish a new cyber force, which has once again reignited the debate over the issue.

“The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM. Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate service members who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training,” the report reads.

“Resolving these issues requires the creation of a new independent armed service — a U.S. Cyber Force — alongside the Army, Navy, Air Force, Marine Corps, and Space Force. There is ample precedent for this approach.”

Following the Space Force example, the study advocates for a smaller force — no more than 10,000 digital warriors and a $16.5 billion budget.

While the fiscal 2023 defense policy bill required the Pentagon to “study the prospect of a new force generation model for CYBERCOM,” the analysis is still not ready.

“As we go through this year’s 1533 study and we evaluate all of the options available for force generation, we certainly are going to look really closely at what are the implications of a cyber service,” Cyber Command and National Security Agency chief Gen. Timothy Haugh told lawmakers in April.

“One of the other responsibilities that is in both our Unified Command plan and in the law is that I am responsible for evaluating the overall health of the DoD cyber workforce. I am responsible to do that in plain English, both to the Secretary of Defense and back to Congress. I think, from our perspective, those reports have allowed us to identify where are the areas that the services could improve. And in doing so, it has also allowed us to build the partnership with the services on how we work together to improve the readiness. Because I think what areas we had seen in the past was not necessarily from the recruiting perspective, but more so from the assignment and retention perspective.”

Pentagon leaders have largely rejected the idea, with Retired Army Gen. Paul Nakasone being the latest former senior official to push back against the proposal. 

“I do not think organizing a service is the best way to do that right now. So Cyber Command, the Defense Department have already started to look at this idea of being able to model themselves after special operations command. What are we seeing with Special Operations Command? Always operating a series of professionals and doing this in a manner that is unique in our department. Cyber Command is the same way. I think this is the way we address the problem,” Nakasone told ClearanceJobs.

The provision has a “prohibition against interference,” which prohibits the Defense Department personnel from interfering or exerting influence to alter the findings of the National Academy of Sciences.

If passed, the Academy will have nine months to complete the study.

The post NDAA proposal reigniting debate over separate cyber force first appeared on Federal News Network.

The command is working with the Office of the Secretary of Defense’s Acquisition & Sustainment office and the services to set up the program office. Last year, CYBERCOM got system engineering and integration authority over the JCWA.

“What that means is we now have the authority to define the interoperability standards between the different components to help better drive better integration and better interoperability between the different systems,” CYBERCOM Acquisition Executive Khoi T. Nguyen said during the C4ISRnet event Wednesday.

When CYBERCOM launched the Joint Cyber Warfighting Architecture five years ago, the goal was to consolidate disparate systems across the military services into one single platform. The JCWA currently encompasses six programs of record, including the Joint Common Access Platform, which is managed by the Army;  the Joint Cyber Command and Control, managed by the Air Force; and a persistent cyber training environment, which also falls under the Army’s purview.

The next step as part of the establishment of the executive program office is to get more acquisition authority over those program shops.

“That will give us more authority over the PM shops not only technical from an A&S authority perspective but also acquisition. So, talking about approving those programs or records,  acquisition and contracting strategies. That will give us a much more holistic ability to move everybody forward singularly,” said Nguyen.

In addition, the command conducted an in-depth analysis last year to better understand the JCWA’s components and capabilities. Following the analysis, several initiatives were launched.

One of those initiatives is to reduce redundancies and reducing the number of software factories is one of the ways the command will get after those redundancies.

“Today, these six programs of record all have their own software factory that are doing software development. The initiative to reduce redundancies means, ‘Let’s combine some software factories.’ This way, we reduce the number of software factories that are out there delivering capabilities for JCWA,” said Nguyen.

“But more importantly if you think of SolarWinds — it was an attack on the software factory. [Reducing redundancy] will ensure we have a much better ability to defend our supply chain from a software development environment perspective.”

In addition, different programs within JCWA use slightly varied technology stacks. In an effort to reduce redundancy, the command wants to have a common Kubernetes platform and program shops would use this environment to deploy their applications.

“This allows more efficiencies in  the applications. But more importantly, with this common platform we’re able to deploy it in different environments. We can deploy it within the cloud. We can deploy it on an edge processing or we can deploy it to our hunt kit with a common platform. And then the variances will be based on the applications that are delivered on top of that,” said Nguyen.

The post CYBERCOM seeks to get more acquisition authority first appeared on Federal News Network.

Cyber defense is not a line in the sand. The threats are constantly evolving. Because of that, federal zero trust plans need to ensure that agencies, experts and professionals in both the private and public sector are consistently aware of these threats and how they’re behaving.

Understanding the threat terrain

Organizations should prioritize creating cybersecurity strategies in collaboration with national partners with similar missions, ensuring a comprehensive approach and common vision on what the threat landscape looks like. A lack of knowledge on the terrain will impact security measures, leaving federal cyber defenders stranded like soldiers entering battle with no understanding of their environment.

As agencies build out their zero trust plans they need insights and case studies on threat terrain right now that include actual threat modeling to go in tandem with guidelines. The priority should be to show agencies the value of gaining visibility of the terrain they’ve jumped into in the past 20 years. This will not only make the strategy helpful for a broader range of agencies, but also give a snapshot of the threat landscape at any given time so they can see how it is evolving.

Actionable guidance 

None of this guidance will work without use cases that show agencies the nuances of implementing certain technologies, strategies and platforms.

A good example for compiling information to form your strategy would be utilizing the National Security Telecommunications Advisory Committee (NSTAC) and the National Security Agency (NSA) plans. They provide guidelines for practical actions like micro and macro segmentation. This is incredibly useful, especially for agencies and other organizations that don’t have the resources to create their own guidance. These documents provide detailed strategic guidance on policy frameworks, interagency coordination, technical implementation and best practices.

Agencies can utilize them immediately to help in three areas:

• Policy integration and alignment: Structure policies around principle zero trust-defined areas, mapping governance to these areas for long-term visibility and management.

• Partnerships for implementation: Frame where your boundaries are and ensure that partners are of like mind when implementing strategy. Your defenses need to connect.

• Continuous improvement and adaptation: Once these bonds are identified, maintain visibility. Constant evolution is necessary and should be the nature of anyone supporting information and communication technology (ICT). Know your terrain and consistently work with your partners to defend it. 

Seasoning strategies to taste

While entities like the departments of Defense and Homeland Security have established important use cases and strategies, other organizations should make sure they’re considering their own unique mission needs and objectives. Tying implementation of zero trust architecture to these goals is essential for aligning zero trust implementation with an agency’s existing strategies. A practical starting point for this is to evaluate how organizational missions align with those already equipped with detailed strategy and threat profiles.

This critical information — the assets, where they’re stored and the paths they may travel, the risk of exposure, how you defend and monitor them, and the actions you’ll take upon authorized and non-authorized exposure — can make the difference in the event of an attack. New threats are always identified, and you don’t want to redo this effort under fire. 

Zero trust will continue to be a centerpiece of federal cyber strategies across government, and rightfully so. When implemented correctly it can make a huge impact on federal security. But to ensure success, agencies need to develop strategies that center around situational awareness and actionable strategies. The threat landscape is only getting more and more complex with malicious actors and nation states utilizing incredibly innovative tools in an attempt to infiltrate government networks. Proper zero trust implementation is essential to combatting this constantly evolving frontier.

Will Smith is director of business expansion and solutions design at RELI Group.

The post Federal zero trust implementation hinges on actionable strategies first appeared on Federal News Network.