Art Clomera,
Vice President, Operations
It’s a simple question with a somewhat complicated answer – at a time when understanding its meaning couldn’t be more important. In a recent industry report, a series of digital trackers stationed across the globe logged more than 5.3 trillion – yes, “trillion” – cyber attacks worldwide in 2021. That’s 14.5 billion attacks per day; 168,000 per second. It’s also 67 cyberattacks for every man, woman, and child on Earth. Spread out over a year, this would mean every person would be attacked online a little more than once a week. The Identity Theft Resource Center recently announced that there were 17% more publicly reported data compromises through September of 2021 than in all of 2020. That means that cybersecurity threats are increasing. And yet, the United States Cybersecurity & Infrastructure Security Agency (CISA) reported that 20% of the top routinely exploited cybersecurity vulnerabilities for 2021 were in 2020’s list as well, meaning significant threats are going unaddressed.
In the face of this threat, government agencies spend a lot of time and money focused on cybersecurity. They operate in an increasingly technology-dependent environment, working with Information Technology (IT), Industrial Control Systems (ICS), Cyber-Physical Systems (CPS), and connected devices that are collectively Internet of Things (IoT). Interconnectivity among these technologies improves efficiency, while expanding threat exposure to more of your core operating functions.
The bigger question is: how is a federal agency to manage given the immense and rapidly changing nature of the threat and increasingly fragmentary workplace technology? It is best to start with the basics.
What is Cybersecurity?
Cybersecurity safeguards networks, devices, and data from unauthorized, and often malicious, access without affecting that infrastructure’s accessibility, integrity, and functionality – its fundamental purpose. Cybersecurity is people and technology working together to protect digital assets, so they work for us, rather than against us. Organizations achieve cybersecurity through a distinct and critical combination of cybersecurity tools, equipment, standards, and processes in the capable hands of professionally trained and experienced workforce and organizations.
The Federal Information Security Management Act (FISMA) is the legislation that defines a framework of guidelines (e.g. RMF NIST SP (Special Publications) 800-37 Rev2) and security standards (e.g. Security Controls NIST SP 800-53) to protect government IT and operations. NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy” is the framework of guidelines to help federal agencies effectively establish and maintain cybersecurity. RMF outlines 7-step process: Prepare, Categorize, Select, Implement, Assess, and Monitor which links to a suite of NIST standards and guidelines (e.g. NIST SP 800 series).
Why is Cybersecurity Important?
Cybersecurity is important because the cyber threat is outpacing efforts to reduce pervasive vulnerabilities. At the personal level, stolen identities or sensitive data (collectively Personally Identifiable Information (PII)) leaves someone vulnerable to theft, extortion, embarrassment, or the permanent loss of irreplaceable memories. Private organizations could lose hard-earned and unique intellectual property. The United States depends on the reliable functioning of its critical infrastructure (CI). If public or private agencies lose access to or use of CI, it can have a debilitating impact on any combination of national security, economic strength, and/or public health and safety.
4 Common Cybersecurity Myths
1. Programs/Systems must be managed independently because they are complex
Cybersecurity implementation systems are most effective when all their requisite components are carried out simultaneously. All programs and systems within the Federal government must follow the NIST SP 800 series standards and guidelines. These base standards and guidelines allow leaders to manage multiple programs simultaneously. A digital cybersecurity risk management platform (e.g. IPKeys CLaaS) can offer agency leaders and stakeholders effective, valuable tools in the RMF process. Leveraging IPKeys CLaaS allows managers with multiple security domain systems to dynamically adjust security controls to meet a given system’s, program’s or portfolio’s specific implementation. Simultaneously, CLaaS can dynamically report to meet constantly changing implementation data while improving accuracy, giving managers better data to make informed decisions to authorize and monitor their portfolio’s implementation.
2. Serious security breaches happen to other people and organizations
We all naturally tend to conclude that bad things happen to other people. Unfortunately, those “other people” were thinking the exact same thing. Cybersecurity breaches can happen to anyone and any organization. With internet-connected devices now outnumbering people – each one a potential tool to access your digital assets – without solid cyber protection and using a zero-trust policy, the chances that you could be that “other” are very high. Take a moment to read through the Center for Strategic and International Studies’ running list of major cyber-attacks on governments and large businesses worldwide going back to 2006. It wasn’t going to happen to every one of those organizations… until it did.
3. RMF challenges are best solved by hiring more cybersecurity professionals
The biggest delay within the RMF process is the amount of manual reporting required to keep leadership informed on progress. Those in agencies’ leadership roles are accustomed to Microsoft Office as the tool of choice for reporting and presentations. Cybersecurity professionals must manually cut and paste data into Microsoft Excel spreadsheets and PowerPoint presentations to keep RMF reports familiar and digestible. But Microsoft Office tools’ static nature means that recurring briefings/updates consume cybersecurity professionals’ time and distract from analysis and mitigating risk. This is not the best posture to take when time is critical to effectively respond to threats. Additionally, Microsoft Word is the long-term documentation tool for security artifacts (e.g. System Security Plans (SSPs))
More cybersecurity professionals spend significant time transferring cybersecurity data into Microsoft Office Suite to report and present to decision-makers, but is this the best use of resources? Think of the ubiquitous ‘chain is only as strong as its weakest link’ adage. Each new person adds to your organization’s security chain and multiplies potential vulnerabilities when they introduce more human error. Agency leaders accessing informative, automatically curated, and critical data points optimized by a small number of security professionals is likely to be far more effective. Automated systems (e.g. IPKeys CLaaS) also free up security professionals to devote more of their day to the important tasks that require their unique skills and less to ubiquitous workflows. All data ingested by and presented in CLaaS can be automatically exported to Microsoft Office products, images and Adobe PDF format.
4. RMF must be a manual process to meet cybersecurity documentation requirements
RMF requires several documents including the systems security plan (SSP), Plan of Action & Milestones (POA&M), Security Assessment Plan (SAP), Security Assessment Report (SAR), and so on. These documents form the basis for a system’s authorization at the senior level and for maintaining long-term system connection on the network. Many of these documents detail the implementation of a system or program to comply with NIST SP 800-53 security controls and security categorization and control profiles (e.g. CNSSI 1253). If cybersecurity threats or NIST guidance were static, a manual documentation process might fit the bill. But they aren’t. According to NIST guidance, these documents should be revised and re-authorized whenever there is a significant system change or at least every three years.
Furthermore, NIST does not mandate that RMF documentation is done manually; automated systems are acceptable if they meet the RMF’s underlying requirements. Cutting-edge, automated systems (e.g. IPKeys CLaaS) can digitally document a system’s cybersecurity artifacts using controls, implementation, and assessment data. These digital documents can be converted from machine-readable datasets (e.g. JSON) into human-readable formats (e.g. HTML and PDF) for review and signature, significantly improving overall report accuracy and efficiency.
Stay ahead of cybersecurity threats with IPKeys
Cybersecurity is your responsibility… but it doesn’t have to be your job.
As a public agency with unique data management and security challenges, who can you trust to keep safe? The skilled specialists at IPKeys focus on cybersecurity that is tailored for government organizations. They developed their distinct suite of security tools and smart strategies for the United States Department of Defense (DoD) to meet their rigorous specifications. These same tools can keep your data safe and your systems running.