According to the SolarWinds 2019 Federal Cybersecurity survey report, threats posed by careless and malicious insiders and foreign governments are at an all-time high.
The report found 56% of federal government IT leaders surveyed considered careless or untrained insiders as the most significant threat to their organizations. Fifty-two percent said foreign governments are the primary menace to their agencies.
Despite this, federal agencies surveyed believe their ability to detect and prevent insider and malicious external threats has improved over the last year. Agencies attribute this confidence to updated federal regulations and mandates that give them the ability to better manage risk as part of their overall security posture.
Cybersecurity frameworks like those introduced by the National Institute of Standards and Technology (NIST) and the Federal Information Security Modernization Act (FISMA) have given federal agencies a great starting point for best practices and processes for securing complex networks and highly sensitive data.
But those frameworks are just frameworks needing to be filled in. They’re great starting points agencies can use to jumpstart their cybersecurity efforts, but those agencies still need to make the frameworks their own.
Let’s take a deeper look at the effectiveness of these key frameworks and explore how agencies can tailor them to suit their cybersecurity needs.
Frameworks Are Effective
Respondents to the aforementioned cybersecurity report cited federal regulations and mandates as contributing to their agency’s ability to manage risk as part of their overall security postures. Respondents most often noted NIST and FISMA frameworks as being the most helpful. Sixty percent of respondents said NIST contributed to their agency’s ability to manage risk, while 55% said FISMA was beneficial.
The key takeaway is federal IT administrators appear to truly appreciate the frameworks providing them with standards and guidelines to help pave the way toward a more effective cybersecurity program. They give recommended structures to those programs. Through those structures, federal agencies can build a more effective cybersecurity posture because they have a basic “framework” to help make sense of something that could otherwise be extraordinarily difficult to wrap one’s arms around. They bring order to chaos.
But They Need to Be Tailored
Not every agency or department is the same. Thus, it’s important for IT managers to take those frameworks and implement their own security controls to effectively make them their own. In doing so, they can create effective cybersecurity protocols to address the unique needs of their organizations.
The Department of Defense (DoD) is a great example. The DoD is leading the way in using existing frameworks to help warfighters and staff meet the growing threats and complexities from internal and external adversaries.
In the DoD’s Cyber Workforce Framework, the Department discussed how it used the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) and the DoD Joint Cyberspace Training and Certification Standards (JCT&CS) to develop its own set of cybersecurity processes and standards tailored to the specific needs and priorities of the DoD.
The DoD exemplifies there’s simply not a “one size fits all” approach when it comes to putting together your security playbook, as it will be unique to each organization. Frameworks are simply there to provide guidelines and sets of best practices.
It’s important for agencies to understand how to insert these best practices into their existing policies and procedures, without placing undue burden on their staff. The goal should be to put a structure in place to protect agency assets without slowing down the ability for the organization to be agile.
Think about it as kit house you build. You can buy the foundation and the framing (or the framework), but as you build your house, you’ll customize what it’s going to look like on the inside and outside—from the gutters on the outside to the crown moldings on the inside. As you build it, you’re tailoring the house based on your personal preferences and needs. Likewise, organizations need to take federal framework, guidelines, and best practices and apply them uniquely to their organizational needs, preferences, and policy/procedures.
Once you’ve built your secure “kit house,” it should then evolve with the times to keep up with the changing external malicious threats from bad actors and internal threats posed by the shadow IT epidemic. That’s where your IT staff comes in and why it’s important for organizations to have a team of experienced cybersecurity experts capable of securing on-premises and cloud-based environments from both careless internal and external malicious threats.
While it’s a daunting task for IT staff to keep up with the daily onslaught of new technologies introduced to the marketplace and defend against new and evolving insider and external threats, using federal frameworks can give an agency a strong head start. Agencies just need to be sure they use the frameworks as they were intended—as the basis for cybersecurity programs that are uniquely their own.
Download The Ultimate Guide to Federal IT Compliance, a SolarWinds whitepaper, for a comprehensive look at federal cybersecurity rules and regulations.