As we head into a new year, we wanted to reflect on some of the technology evolutions impacting how the business of government is conducted. Security continues to be of paramount concern and the past year saw a marked shift in how government agencies will protect data and assets moving forward. Learning from security breaches of the past and looking to emerging technology’s impact on how we collect and use data, there are three key areas to watch in the upcoming year as government evolves as a digitally-driven enterprise.
1. Zero Trust
The Executive Order on Improving the Nation’s Cybersecurity (Cyber EO) has a strong emphasis on moving government toward a Zero Trust approach for security. Zero Trust will not be achieved in 2023 (the stated goal is 2024), but as the EO and subsequent guidance have mandated, it is critical to focus on implementing new tools and integrations to move agencies closer to this modern approach.
Zero Trust involves adopting very granular, rigid user identification policies along with strict authentication that includes role-based, time, and/or location access, as well as a host of other conditions for access to systems by individuals. This helps systems achieve the goal of Zero Trust of ensuring only the right people are accessing the right data at the right time.
Zero Trust is not achieved with just a single technology. Over the next year, be wary of vendors claiming to have “the” Zero Trust solution. The architecture is achieved by bringing together a wide variety of security components, including a policy enforcement point, Security Information and Event Management (SIEM), threat intelligence, security logs, and more. Government agencies must take a hard look at their security and access investments to ensure they work together toward a Zero Trust approach.
Overcoming a Legacy of Trust
According to a recent survey, 58% of respondents said one of the primary challenges to implementing Zero Trust would be rebuilding or replacing legacy infrastructure. This legacy infrastructure is not just “ancient” mainframes and computers with floppy drives. It includes more recently acquired technology that simply does not integrate with the tools needed to achieve Zero Trust. Since replacing something that is working just fine for its function is not always optimal from a budget or productivity perspective, agencies are looking into how to use a service mesh to connect legacy systems to a Zero Trust environment.
Service mesh can be used in a cloud environment to control how services interact. With a service mesh, modern networking can be layered between legacy technology and other systems, allowing the functionality to remain while adding the needed integration for Zero Trust.
Early Progress to Zero Trust
The Defense Information Systems Agency (DISA) recently awarded a contract for a prototype Zero Trust Architecture. Nicknamed Thunderdome, this project will provide operational testing for the agency’s Zero Trust reference architecture. From there, the agency will work on an implementation strategy that will modernize how DISA systems, services, and data are accessed.
The Department of Defense’s (DoD) Transportation Command (Transcom) will be implementing a Zero Trust security model on its classified networks. The implementation will help the agency further modernize its logistics efforts, being able to better utilize cloud computing services.
The Office of Management and Budget (OMB) has moved to an implementation phase for Zero Trust. In doing so they can now help agencies break out costs associated with the cybersecurity approach in their budgets.
The next year will bring many more stories of what’s working (and what’s not) in terms of the shift to Zero Trust.
Today, there are an estimated 12 billion connected devices and trillions of sensors working among those devices. That number is expected to grow to more than 30 billion by 2025. Driving this growth is government use of IoT to gather information about infrastructure, traffic, crime, public health, and more. Of course with more connections comes more opportunity for bad actors to access data and systems, making security a key focus of IoT roll outs. The National Institute of Standards and Technology (NIST) issued guidance on establishing IoT device security detailing how security requirement support is needed below the information system level and should be examined on the devices themselves.
Agencies are taking this guidance to heart and going levels deeper. The Department of Commerce created an internet-of-things advisory board. Appointees to the group come from across industry and academia, as well as from federal, state and local organizations. The advisory group will look at the identification of federal regulations and programs that could inhibit or promote the development of the internet of things, as well as situations in which IoT could meet critical challenges.
More than a discussion of policy, IoT is becoming an essential part of operations for many local governments. A recent study found that 81% of cities surveyed use IoT to manage assets such as roads, streetlamps and water supplies. This use of IoT, and the data collected, is helping them get better at using data. This same study found that ninety-nine percent of leaders said they’ve made significant progress with analyzing data, while 91% see improvement in gathering data, and 82% in ensuring data quality. With IoT in the field and a handle on how to work with data, cities are now focused on realizing the power of real-time, data-driven decision making to better serve citizens.
Lighting the Way for Future IoT
With money from the Infrastructure Investment and Jobs Act being distributed, cities are earmarking IoT as a key area for investment. An entry point into broader use of IoT may prove to be streetlights.
Connected lights help smart cities better manage their energy use while also helping improve citizen safety. Research shows the implementation of street light use cases has grown from 61% to 72% between 2017 and 2022. Implementing IoT in lights allows cities to leverage outdoor wireless communications infrastructure as a first step in deploying a range of other IoT applications such as environmental monitoring or smart traffic sensors.
As more and more devices get integrated into existing physical and cyber infrastructure, the monitoring of how those devices were designed to work (and how they are actually working) will become critical.
3. Supply Chain
The SolarWinds and Microsoft breaches are now IT history, but they were critical in bringing supply chain risks to light and inciting action. Supply chain cybersecurity is a key focus of the Cyber EO and other executive-level guidance. NIST’s definition of “critical software” has allowed agencies to hone in on the technologies to prioritize for security evaluation and updates. NIST also issued guidance on best practices for vendors to maintain the security and integrity of their software code in which vendors must confirm they meet security rules before their solution can be used in a government system.
As a result of President Biden’s executive order on America’s Supply Chains, several departments pinpointed current weaknesses in the federal supply chain. The departments of Commerce and Homeland Security found open-source software and firmware vulnerable to exploitation by foreign adversaries and crime groups. A report from the Department of Energy deemed untrusted software developers a key vulnerability within the clean energy supply chain. To mitigate these risks, Commerce and DHS recommended increasing investment in domestic software development, a sector already battling talent shortages.
In 2023, expect some action on the findings of supply chain research of the past year. This could include more formal procurement rules, additional rules and guidance on continuous monitoring, as well as a renewed focus on domestically produced technology.
We’ll be keeping an eye on these trends and other emerging technology impacts throughout the year. You can stay informed with the resources available here at GovWhitePapers and through the events on GovEvents.