The State of Federal Security: What Contractors Should Know During Cybersecurity Month

October is the scariest month of the year, but not because of Halloween. While the rest of the nation prepares for trick-or-treaters, during October the government observes National Cybersecurity Awareness Month (NCAM) to remind agencies of the scariest danger facing Americans today: cyber-threats.

According to Federal CIO Grant Schneider, the U.S government has “come a long way” in cybersecurity over the past two decades. Higher Federal Information Security Management Act (FISMA) scores suggest that a renewed sense of regulatory vigilance is paying off, and the numbers show that agencies are doing more than talking the talk.

Cybersecurity in 2019

This year, the Department of Defense (DoD) reported $8.5 billion in cybersecurity spending, which is up 3.9% from the year before. The President’s budget for cybersecurity was $15 billion in total, up 4.1%. The increase is justified both by an onslaught of cyberattacks in previous years, and from the success of past prevention efforts.

In August, the Office of Management and Budget (OBM) released a report showing that – while global threat actors increased – the U.S government faced no “major incidents” during 2018. Moreover, the total number of reported incidents dropped to 31,000 from 35,000 in 2017. This is significant progress, showing that compliance and spending have real teeth.

That’s not to say that federal agencies are out of the water. From data breaches to ransomware attacks, threat incidents are still occurring, and the primary culprits have stayed consistent from previous years. They include,

  • Improper usage (insider threats)
  • Email-based malware attacks
  • Data breaches from targeted attacks
  • Ransomware attacks
  • Phishing and spear-phishing attacks

But 2019 has also witnessed the rise of new trends in both technology, legislation and federal institutions which promise to impact security during the next business year. To prepare, contractors and federal organizations should be aware of them.

What’s next for federal cybersecurity? Here’s the scoop –

Cybersecurity Trends for 2020

1. Further clearance reforms

When President Trump formally authorized the transfer of clearance responsibilities from the Office of Personnel Management (OPM) to the DoD, they hit the ground running, and completed the massive transfer of about 3,000 personnel earlier this month.

New agencies have formed to shoulder the responsibility for continued clearance improvements. Formerly the Defense Security Service (DSS), the Defense Counterintelligence Security Administration (DCSA) will be conducting background investigations for 95% of the government from this point forward.

Along the way, the notoriously clogged clearance backlog has seen considerable improvements: earlier this year, it was slashed by 300,000 thanks to changes in the review process including a move to the Trusted Workforce 2.0 framework. While, there is still more work to be done, the government is well on its way to vetting personnel more efficiently.

2. A risk-based approach to cybersecurity

With the clearance transfer completed, the DCSA is turning its sights to industrial security which remains one of its core objectives. As a major component of the DoD, these changes will obviously ripple throughout the government.

In August, an unnamed agency official advised security administrators to:

 “expect additional changes in both how we approach the background investigation mission, adjudications, industrial security oversight, counterintelligence, and really our entire approach to partnering with industry in order to protect national security.”

From further comments, it’s clear that in the near future, a compliance-based mindset will no longer satisfy federal standards for cybersecurity. Instead, government organizations will be asked to think in terms of “risk,” proactively anticipating threats that can’t be ticked off a checklist.

In practice, this likely means that agencies and contractors – in addition to following basic cyber hygiene practices – will eventually depend on cyber threat hunting, penetration testing, and other methodologies aimed at targeted threats that automation can’t detect. Getting a head start on these practices will help them to be ready when standards are raised.

3. Vendors face increased scrutiny

The final point of contact between attackers and their target lies in hardware, and – with rising awareness of security flaws in equipment from IoT and networking vendors – the DoD is finally taking action to prevent vulnerable assets from threatening the security of cleared facilities.

Last month, the agency released a first draft of the Cybersecurity Maturity Model Certification (CMMC) outlining standards that vendors will need to pass in order to work with the federal government, beginning in fall of next year. Likewise, federal organizations will have to ensure that their vendors are indeed certified.

While the CMMC places pressure on U.S technology providers working in the public sector, things have become doubly hard for foreign vendors. This Summer, President Trump signed an executive order banning U.S organizations from using technology produced by any company considered a “national security threat,” including Chinese telecommunications giant Huawei.

4. Feds to consolidate national security infrastructure

In spite of FISMA and other regulations intended to unify cybersecurity throughout the federal government, governance for security practices remain scattered across different organizations. In particular, 99 “civilian” agencies (such as the Department of Labor) have been left in charge of their own cybersecurity policies, leading to inconsistent standards in many cases.

According to Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs, that will be changing soon. In a speech at Auburn University, he outlined CISA’s new priorities which include collaboration leading to the consolidation of cybersecurity architecture across federal agencies. Krebs stated, “In five years, I think you may see a completely different architecture across those 99 agencies”.

In the past, it made sense to prioritize the security of some agencies over others. But as the major targets of U.S adversaries – such as the DoD and intelligence agencies – reach acceptable levels of threat-readiness, the U.S will have to prepare for unlikely attack routes. Any agency with access to classified information is a potential target.

Always Be Prepared

From vendor management to clearance reform and risk-based approaches to security, the vigilance we’ve seen in 2019 has successfully warded off attacks from foreign adversaries and domestic interest groups. Improved security is better for the nation, and for the bottom line of government organizations.

If there’s a common theme to the changes in cybersecurity this year it’s this: risk can come from anywhere, and there’s no such thing as being “too secure”. As rising standards for technology provide threat actors with more sophisticated paths for attack, government agencies and contractors must raise their standards of security in response.

MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud. Contact us to learn more.