These days security is a vital component of any website and IT network in the public sector. But federal agencies must now further step up their efforts in the wake of a recent cybersecurity Executive Order (EO 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure).
Delving into all of its details would be beyond the scope of this blog – but you are invited to contact us with any questions or concerns.
Here are the basics: From a security and compliance perspective this is a new layer of protection that enhances the security standards of FISMA – the Federal Information Security Management Act.
Among the new requirements:
- Agencies must report metrics on their compliance with past mandates and security practices
- Agencies must choose an executive to submit metrics to the Department of Homeland Security
- Agencies must fix security gaps identified by a ‘cyber risk scorecard’ that will be sent to each agency based on its reported metrics
A second – and equally important – aspect of the EO is its stipulations on procurement of shared IT, including cloud services. This is a continuation of an effort launched under the previous administration to modernize federal IT, with the goal of reducing operations and maintenance costs.
Although the heavy reporting requirements are a common theme throughout the EO, what’s going to be the most challenging aspect of implementation is the significant paradigm shift to adopt a “risk mitigation and shared resource mentality” and how resources (financial and human capital) are allocated to adapt.
In many ways this was long overdue. It simply makes more sense to approach cybersecurity from a risk-based point of view. This will compel agencies to patch the most urgent vulnerabilities first, and to take a more holistic approach to the challenge. It’s no longer just about the website (and actually it never was). It’s also about the applications and the systems on which they reside.
Budgeting resources specific to maintaining the security of a site (including proactive testing) is critical and needs to be recognized as a separate component of other maintenance activities – this alone is another significant change to past protocols.
An Effective Strategy For All Public Sector Sites
While the new EO applies only to federal agencies, it provides a strategy that can also be adopted by municipalities, school districts, utility districts, and any public sector website wishing to extend its security perimeter, as well as enhance protection from internal and external threats.
In fact, many states such as Ohio are already incentivizing its online communities to be compliant with the federal regulations. Unfortunately, unless a municipality/school district has in-house security and compliance experts the EO would be very difficult to tackle alone. And even with such expertise, the first step would be to perform an assessment, and it is considered best practice to bring in a non-biased third party for that task.
Before joining 360Civic as Chief Information Security Officer, I’ve spent the past two decades in cybersecurity, working with such organizations as the FBI and the Secret Service. I am here to answer your questions, and to help you implement the changes and procedures to maintain compliance with all government security standards.