Much like organizations in the private sector, federal agencies are fending off cyberthreats from all angles: ransomware, credential theft, web application attacks, phishing, spoofing and more. But these agencies also must grapple with numerous challenges unique to government. Among the most vexing: the prospect of attacks from hostile nation-states; the budget constraints of the public sector; the need to comply with government mandates such as the 2021 Executive Order on Improving the Nation’s Cybersecurity; and keeping critical systems available to protect information and systems that may have a direct impact on national security.

“Both state and non-state cyber actors threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy,” warns the Office of the Director of National Intelligence in its 2022 report on the U.S. Intelligence Community’s threat assessment. “Transnational cybercriminals are increasing the number, scale and sophistication of ransomware attacks, fueling a virtual ecosystem that threatens to cause greater disruptions of critical services worldwide.”

The report specifically calls out the threat of cyberattacks from the governments of China, Russia, North Korea and Iran.

Despite the clear risks of cyberattacks, federal agencies often struggle to address cybersecurity concerns as comprehensively as leaders would like. The Government Accountability Office has made more than 4,000 recommendations to federal agencies to address cybersecurity shortcomings, but nearly 900 of these had not been fully implemented as of December 2022. The GAO has designated 134 of these measures as “priority” recommendations, meaning that they warrant heightened attention from heads of key departments and agencies. “Until these shortcomings are addressed … IT systems will be increasingly susceptible to cyberthreats,” GAO notes.

Funding plays a large role in this gap. According to a MeriTalk report, only 14 percent of federal cybersecurity decision-makers say they have all the funding needed to meet the requirements of the 2021 cybersecurity executive order. The agencies that are having the greatest success meeting the order’s requirements are those without funding gaps, those where leaders meet at least once a month to review progress on the requirements and those whose zero-trust efforts are led by their CIO, MeriTalk reports.

To overcome cybersecurity challenges and protect their environments, agencies must adopt solutions, services and strategies that can adapt to evolving threats and technologies.

Agencies face unique obstacles as they work toward their missions. Many of these issues have evolved in recent years, posing major security challenges.

The percentage of federal cybersecurity leaders who say that mounting to-do lists and fears of suffering the “next headline-grabbing breach” keep them up at night¹

The percentage of federal IT and cybersecurity practitioners who say their agency has suffered a cybersecurity incident that resulted in a significant disruption to IT and the agency’s processes in the past several years²

The percentage of federal cybersecurity leaders who say their agencies are focused on implementing or expanding endpoint detection and response capabilities¹

The percentage of federal IT and cybersecurity practitioners who cite phishing and social engineering attacks as a top cyber risk, more than any other attack type²

IDENTITY: In an optimal zero-trust environment, an agency will continuously validate the identity of users rather than validating only when access is initially granted.

DEVICE: Agencies should inventory and secure all devices and prevent unauthorized devices from accessing resources. Device security should be applied to any hardware asset that can connect to a network.

NETOWRK: Agencies should implement a number of network security best practices, including network segmentation, threat protection, encryption, visibility, and automation and orchestration.

APPLICATION WORKLOAD: In an optimal zero-trust environment, an agency will integrate application security testing throughout development and deployment processes, with regular, ongoing application testing.

The demand for IT professionals — and especially those with cybersecurity expertise — is extremely high, creating a talent shortage for many federal agencies. To close this gap, agencies often engage with trusted third-party partners for as-a-service IT delivery. Certain requirements, such as compliance with the Federal Risk and Authorization Management Program, or FedRAMP, may restrict which types of services agencies can use.

An outside set of eyes — whether in the form of zero-trust maturity assessments, penetration testing or web application testing — can provide valuable, objective information that helps agencies identify and shore up gaps in their attack surface. These engagements can also help to jump-start emerging initiatives. For instance, leaders are sometimes unsure where to start with their efforts to implement zero-trust requirements. During a thorough zero-trust maturity assessment, a partner will evaluate the agency’s existing tools and practices and help it come up with a plan for what to prioritize first.

Services such as identity, credential and access management and privileged access management can help agencies reduce risk by ensuring that only authorized users can access sensitive systems and data. According to the National Institute of Standards and Technology, the need for ICAM is driven by increased use of cloud software, a dramatic rise in the number of credentials managed by agencies and the continued need for information sharing. For agencies whose staff lack the time or experience to implement ICAM and PAM solutions, managed services can limit the number of users with access to administrative functions.

A robust cybersecurity posture depends on several critical infrastructure components, including firewalls, SIEM solutions, and network and behavioral analytics tools. However, these tools are only as effective as the people who implement and manage them. Depending on their internal capacity, IT leaders may lean on partners for help configuring, managing and monitoring these solutions to best meet the needs of an agency over time. For instance, monitoring tools frequently need to be adjusted so they do not produce an excessive number of false alarms, which can lead to alert fatigue.

Employee training and staff augmentation services help organizations across industries to meet their cybersecurity goals and enhance their security posture. However, third parties that serve federal agencies must meet additional requirements beyond what they may face in the private sector. All training, of course, needs to be tailored to the goals and compliance considerations of federal agencies. Also, service providers offering staff augmentation must be able to accommodate security clearances before they are able to help agencies manage large-scale projects and complex programs.

Ultimately, the goal of federal cybersecurity efforts is not to roll out specific solutions or services, but rather to ensure that agencies have the capabilities necessary to prevent, detect and respond to ever-evolving cyberthreats. Here are some of the most important outcomes that federal cybersecurity leaders are pursuing:

The 2021 Executive Order on Improving the Nation’s Cybersecurity specifically directs agencies to move toward a zero-trust architecture. Government agencies actually lead industry in zero-trust adoption, according to Okta, with 72 percent of government organizations already pursuing a zero-trust initiative, compared with 55 percent of companies worldwide. Zero trust is important even for (and maybe especially for) agencies with heavy investments in more traditional cybersecurity measures. Navy CISO Christopher Cleary has noted that the physical cybersecurity perimeter has largely disappeared. “The workforce is getting more distributed,” Cleary told FedTech magazine. “It’s getting more challenging to keep everybody behind the castle walls.”

The 2021 executive order also directs the federal government to adopt robust endpoint detection and response (EDR) solutions. A memorandum from the Office of Management and Budget lays out the following objectives:

• Improved agency capabilities for early detection, response and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices
• Enterprise-level visibility across agency components to better detect and understand threat activity
• Governmentwide visibility through a centrally located EDR initiative to support host-level visibility, attribution and response across federal information systems

No cybersecurity tool is 100 percent effective in preventing intrusions, and network visibility is the next line of defense after attacks make their way into an environment. In fact, some federal officials blamed a lack of network visibility for the difficulties agencies had in identifying and responding to the SolarWinds attack in 2020. Chris Butera, senior technical director for cybersecurity for the Cybersecurity and Infrastructure Security Agency, told FedTech magazine that a mix of solutions such as intrusion detection, SIEM and vulnerability scanning tools can help agencies establish a baseline for normal network activity. “Getting a holistic picture of activity on the wire and at the endpoint is needed to paint that realistic picture of what is happening across your network,” he said.

An August 2021 memorandum from the Office of Management and Budget spells out the importance of investigation and remediation capabilities. The average dwell time (the length of time that cybercriminals spend in an IT environment before they are detected) has actually dropped slightly in recent years, but it is still around three weeks. That’s plenty of time to create serious problems. OMB details steps that organizations should take for activities such as logging, consistent timestamp formatting and security event forwarding to promote investigation and remediation capabilities. “To ensure data integrity, logging facilities and log information must be protected by cryptographic methods from tampering and unauthorized access,” the agency notes.

In addition to broad offerings and deep expertise in areas such as the cloud, data center and digital velocity, CDW offers these cybersecurity engagements to help agencies protect their IT environments.

Penetration testing: A comprehensive penetration test allows IT leaders to better evaluate the security of their networks, applications and cloud environments.

Purple team and red team exercises: By simulating real-world attack scenarios with an objective third-party partner, agencies can evaluate the effectiveness of their existing cybersecurity tools and practices.

Zero-trust maturity assessment: This four-week engagement measures an organization’s IT environment against CISA’s Zero Trust Maturity Model. CDW experts and organizational leaders work together to develop a roadmap that drives the organization’s zero-trust strategy and prioritizes cybersecurity projects. The assessment also considers future goals and practices to ensure the recommendations have long-term viability and value.

Residency services: Hiring IT professionals is a challenge for every organization, especially in cybersecurity. CDW residency services bring qualified, talented personnel to an agency’s IT operations for open-ended, onsite engagements. This service offers skills that your team may not have, including engineers and solution architects with expertise in a wide range of technologies.

Story by Sebastian Szykier, who leads the CDW•G Federal Cybersecurity Practice. He has spent the past 20 years making cybersecurity simpler for public sector organizations.