Zero Trust is a hot buzzword, but in practice it is a new way of approaching security given that cybersecurity professionals have already changed their security posture from if someone gets in to when someone gets in. This approach focuses cyber defense strategies on safeguarding individual resources and data. This is a departure from traditional network defense strategies that aimed to keep the “bad guys” out of systems.
NIST has issued the Zero Trust Architecture Draft that provides guidance on how agencies can implement security practices and technology that operate from a never trust, always verify stance, ensuring data is only being accessed by those who need it when they need it. While this guidance is applicable across federal as well as state and local markets, there are some unique differences in how federal and state & local agencies need to approach their cyber strategy.
At the Federal level, efforts are underway to make FedRAMP authorization more streamlined, helping agencies to integrate modern cloud technologies securely. Similarly, the Continuous Diagnostics and Mitigation (CDM) program, run out of the Department of Homeland Security, is working to expand its impact across government by changing the perspective by which agencies identify what is on the network, who is on the network, what is happening on the network, and how agency data is protected.
State and Local technology executives are focused less on overarching guidance (akin to FedRAMP and CDM) and are concentrating on user behavior. Identity attacks, where a hacker gains use of legitimate credentials, are on the rise. One report showed that these attacks (carried out by phishing tactics) are up 70%. To counteract this, state and local organizations are redoubling efforts to train their workforce, and the community at large, to identify potential phishing attacks. Preventing phishing attacks can cut down greatly on the very real threat of ransomware, where access to systems is blocked and data compromise is threatened unless money is paid to the hacker group.
This is just a quick snapshot of the cybersecurity landscape. There are some great resources on the site that dive into these (and other topics) at greater depth:
- 15 Calls to Action in Federal CyberSecurity 2020 – These recommendations are culled from the input of over 75 top experts at the 10th annual Billington Cybersecurity Summit. The paper includes insights on building the cyber workforce, developing data strategies, as well as staying current on policies, standards, and certifications.
- Defending the Federal Government from Cyber Attacks — The U.S. Department of Defense (DoD) invited white hat hackers to find security flaws in systems run by the Pentagon, Air Force and Army. What they learned helped the DoD bolster their cyber defenses and prove the benefits of hacker-powered security to a wide range of government agencies.
- Approaches for Federal Agencies to Use the Cybersecurity Framework – The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices. The use of the Cybersecurity Framework’s components enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events.
- Considering a Zero Trust Architecture — In today’s zero trust era, everyone–both outside and inside your networks –poses a potential risk to cybersecurity. As such, it is imperative all organizations, whether part of the US public sector or not, institute safeguards that protect data and systems accordingly. This paper walks through the evolution of zero trust and provides guidance on implementing it in a government setting.
- The Road to Zero Trust — Zero Trust Architecture (ZTA) has the ability to fundamentally change the effectiveness of security and data sharing across DoD networks. This paper walks through the current state of perimeter security and outlines how to move toward a Zero Trust model to better track and block attackers, limit internal human error, manage rules of access, and facilitate secure sharing.
- User Risk Report – This paper looks at “Exploring Vulnerability and Behavior in a People-Centric Threat Landscape.” Your cybersecurity posture is only as strong as its weakest link. And in today’s people-centric threat landscape, that means users. They are your greatest asset, your biggest risk and your last line of defense from threats. That’s because attackers have shifted their focus from infrastructure to people. No matter how well you’re managing your IT infrastructure, you can’t patch your way out of these people-centered attacks. report highlights user awareness and knowledge gaps that, if left unrectified, could hurt your cybersecurity posture.
These are just a few of the great resources available to help better understand and plan for the cyber threat landscape. You can browse more cybersecurity information through our search engine here: