Governing Identity Attributes in a Contextual and Dynamic Access Control Environment

In the rapidly evolving landscape of cybersecurity, federal agencies, the Department of Defense (DoD), and critical infrastructure sectors face unique challenges in governing identity attributes within dynamic and contextual access control environments. The Department of Defense Instruction 8520.04, Identity Authentication for Information Systems, underscores the importance of identity governance in establishing trust and managing access across DoD systems. In parallel, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) guidance and the National Institute of Standards and Technology (NIST) frameworks further emphasize the critical need for secure and adaptive access controls in safeguarding critical infrastructure and federal systems.

This article examines the governance of identity attributes in this complex environment, linking these practices to Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) models. It highlights how adherence to DoD 8520.04, CISA’s Zero Trust Maturity Model, and NIST guidelines enable organizations to maintain the accuracy, security, and provenance of identity attributes. These efforts are particularly crucial for critical infrastructure, where the ability to dynamically evaluate and protect access can prevent disruptions to essential services and minimize security risks. By integrating these principles, organizations not only achieve regulatory compliance but also strengthen their defense against evolving threats, ensuring the resilience of national security systems and vital infrastructure.

SailPoint Governing Identity Attributes Blog Embedded Image 2025

Importance of Governing Identity Attributes

Dynamic Access Control

In a dynamic access control environment (Zero Trust), access decisions are made based on real-time evaluation of identity attributes and contextual information. Identity governance plays a pivotal role in ensuring that these attributes are accurate, up-to-date, and relevant. Effective identity governance facilitates:

  • Real-time Access Decisions: By maintaining a comprehensive and current view of identity attributes, organizations can make informed and timely access decisions, ensuring that users have appropriate access rights based on their roles, responsibilities, and the context of their access request.
  • Adaptive Security: Identity governance enables adaptive security measures that can dynamically adjust access controls in response to changing risk levels, user behaviors, and environmental conditions.

Attribute Provenance

Attribute provenance refers to the history and origin of identity attributes. Understanding the provenance of attributes is critical for ensuring their reliability and trustworthiness. Identity governance supports attribute provenance by:

  • Tracking Attribute Sources: Implementing mechanisms to track the origins of identity attributes, including the systems and processes involved in their creation and modification.
  • Ensuring Data Integrity: Establishing validation and verification processes to ensure the integrity and accuracy of identity attributes over time.

Attribute Protection

Protecting identity attributes from unauthorized access, alteration, or misuse is fundamental to maintaining a secure access control environment. Identity governance enhances attribute protection through:

  • Access Controls: Implementing stringent access controls to limit who can view, modify, or manage identity attributes.
  • Encryption and Masking: Utilizing encryption and data masking techniques to protect sensitive identity attributes both at rest and in transit.
  • Monitoring and Auditing: Continuously monitoring and auditing access to identity attributes to detect and respond to any suspicious activities or policy violations.

Attribute Effectiveness

The effectiveness of identity attributes in supporting access control decisions is contingent upon their relevance, accuracy, and granularity. Identity governance ensures attribute effectiveness by:

  • Regular Reviews and Updates: Conducting periodic reviews and updates of identity attributes to align with evolving business needs, regulatory requirements, and security policies.
  • Feedback Mechanisms: Establishing feedback mechanisms to assess the effectiveness of identity attributes in real-world access control scenarios and make necessary adjustments.

Risks Associated with ABAC and RBAC

ABAC Risks

ABAC relies on the evaluation of attributes to make access control decisions. While ABAC offers flexibility and granularity, it also presents several risks:

  • Complexity: The complexity of managing a large number of attributes and policies can lead to misconfigurations and errors, potentially resulting in unauthorized access or access denials.
  • Scalability: As the number of attributes and policies grows, the scalability of the ABAC system can be challenged, affecting performance and responsiveness.
  • Attribute Quality: The effectiveness of ABAC is heavily dependent on the quality of the attributes. Inaccurate, outdated, or incomplete attributes can compromise access control decisions.

RBAC Risks

RBAC assigns access rights based on predefined roles. While RBAC simplifies access management, it also has inherent risks:

  • Role Explosion: The proliferation of roles to accommodate varying access needs can lead to role explosion, complicating role management and increasing administrative overhead.
  • Stale Roles: Over time, roles may become stale or misaligned with current job functions, leading to over-privileged or under-privileged access.
  • Inflexibility: RBAC may lack the flexibility to handle dynamic and context-specific access requirements, limiting its effectiveness in modern, agile environments.

Importance to a Zero Trust Model

The Zero Trust model is predicated on the principle of “never trust, always verify,” emphasizing continuous verification of identity and context for access decisions. Governing identity attributes is integral to the Zero Trust model for several reasons:

  • Continuous Verification: Accurate and reliable identity attributes are essential for continuous verification processes that dynamically assess access requests in real-time.
  • Context-Aware Security: By governing identity attributes, organizations can implement context-aware security measures that consider a wide range of factors, including user behavior, device health, and network conditions.
  • Minimizing Attack Surface: Effective governance of identity attributes helps minimize the attack surface by ensuring that access rights are tightly controlled and aligned with current security policies and threat landscapes.

Governing identity attributes is a cornerstone of modern access control strategies, particularly within the dynamic and contextual environments that characterize today’s IT ecosystems. By supporting dynamic access, ensuring attribute provenance, protection, and effectiveness, and addressing the risks associated with ABAC and RBAC, identity governance enhances the security and efficiency of access control mechanisms. In the context of a Zero Trust model, the rigorous governance of identity attributes is indispensable for maintaining robust and adaptive security postures, ultimately contributing to the resilience and integrity of organizational systems and data.

To learn more about SailPoint’s cybersecurity capabilities and how it can support mission-critical DoD initiatives, view our technology solutions portfolio. Additionally, check out our other blog highlighting the latest insights into “The Role of Identity Governance in the Implementation of DoD Instruction 8520.04”.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

How to Accelerate the Journey to Government Compliance with CCM

Government agencies are inundated with a vast amount of daily Governance, Risk, and Compliance (GRC) tasks and processes. Achieving regulatory compliance, an arduous process, can take up precious time that could be reallocated to other business-critical missions.

Continuous controls monitoring (CCM) is one solution. CCM leverages AI and extreme automation to help cut down on manual processes, allowing agencies to overcome regulatory hurdles, supercharge their staff, and make better risk-based decisions with fast, cost-effective automations.

Improving the Compliance Process

Creating a quality compliance report comes with heavy, manual processing time. CCM can help significantly by taking away some of the cumbersome brunt work, cutting 60-80% of the manual tasks required by GRC programs.

RegScale Government Compliance CCM Blog Embedded Image 2024

It can also help overcome hurdles to reaching valuable security authorizations.  Completing an Authorization to Operate (ATO) package can take roughly six months to finish — but that process can be reduced to two weeks with the right CCM platform.  CCM also gives agencies a leg up with gaining Continuous Authorization to Operate (cATO) by leveraging OSCAL, a machine-readable format that standardizes security control documentation and enables automated validation.

The Time-Saving Capabilities of Machine Learning and AI

In the past year, advances in machine learning (including large language models and generative AI) have created exciting new possibilities for GRC teams. AI and machine learning (ML) can offer everything from better data analysis to proactive risk management to a major reduction in manual processes. Here are a few of the most compelling use cases for AI-enabled GRC:

  • Help employees proactively monitor traffic
  • Review code for errors unlikely to be caught by the human eye
  • Explain complex controls and procedures in everyday language, bridging knowledge gaps
  • Generate accurate, up-to-date documentation in one click

Overall, AI allows agencies to move faster, with more accuracy, and with better visibility. To free up staff to complete mission-critical objectives, agencies should create their own AI/ML usage strategies and implement them within a Compliance as Code framework.

How RegScale’s CCM Leverages Compliance-Trained AI

RegScale’s AI-enabled platform, RegML, combines CCM and leading large language (LLM) tools to streamline compliance management with intelligent automation and precision. This approach improves compliance by significantly reducing manual labor and costs. It also provides user-friendly summaries and guidance and improves accuracy and precision in documentation, freeing up staff to focus on core business objectives. 

RegML has four main AI features:

  • AI Extractor, which automatically derives compliance documentation from existing policies and procedures.
  • AI Explainer, which is designed to demystify control statements by providing users with simple explanations of intricate controls.
  • AI Author, which helps draft control implementation statements in the context of relevant regulations and requirements. This process allows writers to focus on editing a draft, leading to fewer errors and better accuracy.
  • AI Auditor, which identifies gaps in controls and provides suggestions for improvement. This frees up teams to work on more critical tasks like fixing gaps and implementing controls.

CCM and the Future

Today, more and more work is being done in the cloud. As data becomes ephemeral and serverless, cybersecurity has become more important than ever — as have the mandatory frameworks governing it. Meanwhile, regulations such as NIST’s Secure Software Development Framework (SSDF), the Digital Operational Resilience Act (DORA), the Security and Exchange Commission (SEC) rules, Cybersecurity and Infrastructure Agency (CISA) mandates, and the European Union’s AI Act have or are predicted to undergo changes.

These shifting frameworks only make CCM more integral, as its AI features allow users to ensure that they are thoroughly compliant at every step of the process. By freeing time for additional tasks, and by maintaining adherence to changing regulations, CCM enables organizations to improve their GRC programs and streamline their operations.

To learn more about how RegScale’s CCM platform provides a layer of security around AI usage, watch its webinar How AI is Revolutionizing Government Compliance.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including RegScale, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought leaders.

A Guide to the Continuous Diagnostic and Mitigation Program by CISA

The Continuous Diagnostics and Mitigation (CDM) Program, established in 2012 by the Cyber Security Infrastructure Security Agency (CISA), provides a dynamic approach to fortifying the cybersecurity of Government networks and systems by improving security posture of participating agencies and mitigating risk to the nation’s cyber and physical infrastructure.  

Carahsoft’s long and supportive history of CISA’s CDM program allows Carahsoft to provide cutting edge software to benefit the governments pressing national security requirements. Currently, Carahsoft supports more than 70 vendor partners on the CDM Approved Products List, assisting in completing the submission process and maintaining communication with CISA for APL updates. Our extensive vendor and partner network allows the Government to procure asset and identity management, network security and data protection tools in support of the CDM program. 

How the CDM Program Works 

The goal of the CDM program is to find and prioritize risks in cybersecurity, increasing visibility into the Federal cybersecurity space and improving the Government’s ability to respond to issues or threats. In the past few years, the CDM program has grown to become a proactive, coordinated and efficient entity. In CISA’s projected budget for 2025, $469.8M will be allotted for the CDM program to strengthen the security posture of Federal Government networks and systems. 

Carahsoft CISA CDM Program Update Blog Embedded Image 2024

CISA has a congressional mandate at the national level to extend cybersecurity and the availability of CDM tools. It also supplies capabilities and knowledge into the framework of State and Local Governments and works to protect the nation’s vital infrastructure. Government agencies have specific funding that they can use—in essence as a grant. Different agencies and governmental entities can apply to get funding from the Department of Homeland Security (DHS) to enable the purchase of CDM technologies. DHS and CISA work with emerging, established and developing cyber technologies to counter threats from a wide variety of adversaries. 

The CDM Program APL and Procurement Process 

The CDM program offers a set of certified tools and sensors, known as the APL. To begin the process for a solution to be approved for the APL, a vendor must submit information about its capabilities to CISA. For example, where that tool sits in the network and what it is capable of. Tools that are part of the CDM program provide capabilities in the following 4 areas: 

  1. Asset Management 
  1. Identity and Access Management 
  1. Network Security Management 
  1. Data Protection Management 

The CDM office at CISA evaluates the offeror’s claims for that solution for acceptability and applicability onto the APL. If it meets the defined cybersecurity criteria, it is then classified into a specific category. Products labeled by CDM listed on the GSA MAS IT schedule through GSA Advantage have already been vetted and approved by CISA, signifying that they meet the technical standards needed for Government procurement. Therefore, agencies do not need to repeat the evaluation process when purchasing through GSA. While CISA manages the CDM program, GSA provides the ease of buying and the ability to expedite awards. CDM products can also be acquired through the NASA SEWP CDM catalog and are added to this contract via customer request.  

The CDM program includes cybersecurity tools and sensors reviewed for conformance with Section 508, Federal license users and CDM technical requirements. Each month, the program offers a weeklong submission window for new tools to be submitted for addition to the APL, which allows for unique flexibility for a Government program and strengthens the program over time. Since the acquisition of new and innovative technology can oftentimes lead to longer implementation timelines for the Government, monthly rolling submissions allow for a quicker and more flexible process for agencies obtaining new products. Not only is this a benefit for Government, but for industry, too, as a larger submission window allows technology vendors the opportunity for their products to be added to the APL more frequently.  

Cybersecurity threats are ever evolving—and consequently so are the tools and the defensive measures needed to mitigate them. CDM products expire from the APL every 3 years to ensure the products listed continuously comply with modern cybersecurity standards. For more information on the technical evaluation process, please review the APL Product Submission Instructions. 

Benefits of Acquiring CDM Tools for End Users 

Broad Base of Customers: The CDM program focuses on Federal infrastructure but works with GSA and its broad customer base, including buyers such as the Departments of Agriculture, Transportation, Justice and Education, as well as tribal and territorial Governments, for example. 

High Levels of Support: At CISA, the CDM program delivers high levels of support to Federal civilian agencies. It has direct program management resources, funding resources, and outreach resources, among others. 

Election Security: Election security is top of mind for 2024. The Help America Vote Act (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that user experience and cybersecurity require improvement. The CDM program and its robust suite of tools address these crucial objectives. 

Critical Infrastructure: DHS prioritizes protective services to critical infrastructure organizations like power companies, oil refineries and railroads. For example, $130.3M of CISA’s FY25 budget will ensure emergency communication interoperability and assistance.  

Integrators for the CDM Program 

Integrators are an integral part of the CDM Program, providing cybersecurity expertise, consulting, technology, tools, solutions and services to participating Government agencies. These organizations work directly with the agencies to strengthen IT security posture, zero trust maturity and other mission critical cybersecurity needs. The following integrators are currently the contract holders for agencies participating in the CDM Program in groups A-F, which are categorized by the task orders each agency holds. 

To learn more about defending Federal networks and systems with the CDM Program, the partners we support on the CDM APL and how you can sell your products under CDM, visit our CDM Program Overview and contact us today. 

The Evolving Landscape of Cybersecurity in the Healthcare Sector

As the nation becomes increasingly interconnected through technology, industries are also utilizing new technology to meet patient expectations for quick diagnoses and access to results. However, when this technology usage includes personal or healthcare data that may be sensitive for patients or health systems, cybersecurity becomes paramount and necessitates the implementation of new cyber standards. The Healthcare Information and Management Systems Society (HIMSS), a global society focused on information and technology in the health ecosystem, held its annual HIMSS 2023 Healthcare Cybersecurity Forum in September. Here, industry professionals converged to innovate and discuss strategies for safeguarding the healthcare sector against cyber-attacks. To protect against breaches, the healthcare system must integrate and scale to achieve a more connected technological landscape across the industry to better serve patients.

Ransomware and Cybersecurity in Healthcare

By connecting and improving interoperability between healthcare systems/EHR platforms, overall patient service is improved; however, with features such as digital integration, migration to the cloud and the incorporation of remote workers, cyber vulnerability has simultaneously increased. Bad actors oftentimes target healthcare agencies with ransomware for hire. With the increased capabilities of artificial intelligence (AI), even inexperienced bad actors can create sophisticated and dangerous attacks. Due to the immense financial loss of these attacks, it is vital that agencies prioritize cybersecurity. Hospitals, other healthcare centers, and especially their third-party stakeholders, now face a new barrage of ransomware attacks and data breaches.

There are a couple of steps administrators can take to protect hospital systems, patients and stakeholders.

  • Implement ‘Security-by-Design,’ a strategy where providers ensure that all products are secure by design and default, with all IT solutions and enterprise environments.
  • Maintain pace with the evolution of artificial intelligence (AI) and utilize it to defend against bad actors.
  • Standardize a detailed incident response plan that includes a thorough business continuity plan.
  • Exchange defense strategies between stakeholders — a united front is stronger than trying to face threats alone.
  • Implement multi-factor authentication and zero trust on all end users so information is accessed by the parties that need to know.
  • Apply data encryption to systems to protect sensitive information against hackers.

AI in the Healthcare Industry

Carahsoft HIMSS Cybersecurity Fall Forum Recap Blog Embedded Image 2023While bad actors have utilized the capabilities of AI, the healthcare industry can also use it to improve cybersecurity. AI does not need breaks, and therefore can run all day reducing the time needed to identify a security breach by analyzing large amounts of data in real time. On a similar note, AI can identify multiple devices and manage network endpoint detection for large networks. AI has been used to predict Domain Name System (DNS) attacks before occurrence, preventing and mitigating these attacks. It can implement Secure Access Service Edge (SASE), analyze identities and manage risk. With its strength of detecting patterns, AI can distinguish subtle patterns of attack that would otherwise go unnoticed by people.

Due to the nature of this new technology, the healthcare industry must carefully decide whether it wants to implement AI, and to what extent it will be used. In terms of cybersecurity, AI may be the answer to providing a secure standard for an interconnected healthcare industry.

Partnerships to Strengthen Cybersecurity in the Healthcare Industry

To provide the best security for patients and stakeholders in the healthcare sector, the federal government and technology industry have joined the battle against bad actors in healthcare. Several federal agencies including the Administration for Strategic Preparedness and Response (ASPR), will lend a hand in bolstering the cyber posture of the American health system. The ASPR is working alongside Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners to analyze the cyber threat landscape of the healthcare sector. Over the next year, the agency hopes to create a cyber division, introduce a cyber risk identification tool, track cyber incident reports and gain resources and buy-in from senior leadership. Another agency, the Department of Health and Human Services (HHS) will strengthen cybersecurity by partnering with hospitals, health organizations and federal agencies, including CISA, that have additional information on cyber threats. Under the HHS, the Health Industry Cybersecurity Practices (HICP), a publication in response to the Cybersecurity Act of 2015, provides practical cybersecurity guidelines for the healthcare industry.

HICP covers several major threats that the industry faces, including:

  • Social engineering
  • Ransomware
  • Payment fraud
  • Loss or theft of equipment
  • Insider, accidental, or malicious data loss
  • Attacks against network connected medical devices

To counter said threats, the HICP has listed its top ten best cybersecurity practices. It advises to:

  • Protect email systems from phishing breaches
  • Implement endpoint protection systems to all hardware devices
  • Utilize identity and access management, regardless of the size of the health care organization
  • Check cyber posture to prevent data loss
  • Manage IT assets
  • Execute network management for wireless or wired connections before interoperating systems
  • Enact vulnerability management
  • Take advantage of incident response plans to discover network cyberattacks
  • Extend relevant cybersecurity practices to network connected medical devices
  • Establish and implement cybersecurity and governance policies[1]

By enabling organizations to evaluate capability against cybersecurity attacks, HICP aims to protect patients and stakeholders from private data loss.

While cyber attacks are always growing in complexity, the healthcare industry can evolve and provide superior service for its patients through the use of tested security strategies, AI and federal aid.

 

Visit Carahsoft’s Healthcare Solutions Portfolio to learn more about improving cybersecurity practices in the healthcare sector.

 
Resources:

[1] “HICP’s 10 Mitigating Practices,” Department of Health and Human Services, https://405d.hhs.gov/best-practices

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the HIMSS Fall Forum in September 2023.*

Transforming State and Local Government in Ohio Through Technology

Innovation and collaboration are imperative to drive growth and transformation in State and Local Governments, as well as the need to invest in education and training to prepare the workforce for the jobs of the future. At the Carahsoft Digital Transformation Roadshow in Columbus, Ohio, Government IT and industry leaders engaged in dynamic discussions around the role of technology in shaping the modernization of the state of Ohio and beyond.

Technology Innovation in State and Local Government

Ohio State and Local agencies have begun to integrate innovative technologies to drive better decision-making while lowering the cost of ownership for IT systems; however, this requires significant investment in infrastructure, training and talent acquisition. Agencies must also ensure cybersecurity and risk management, as the use of new technology can create new vulnerabilities. There is a critical need for education, collaboration and innovation as State and Local agencies reimagine the future workforce which is an ever evolving complex and diverse ecosystem.

When faced with implementing technologies like artificial intelligence (AI), internet of things (IoT) and other transformational technologies, comprehensive planning is the best way forward for State and Local agencies. By doing the planning upfront, agencies can ensure that they have the right tools to manage vulnerabilities, mitigate risks and drive innovation.

Carahsoft State and Local Ohio Roadshow Blog Embedded Image 2023Utilizing a single platform that connects automation of other tools into that platform helps agencies get real-time data reporting and addresses risk within the organization. By using multiple endpoint management and security tools in a single platform, agencies can streamline their operations, reduce costs and improve their overall security posture.

A local agency in Westerville, Ohio has started using data for applied analytics and customizing citizen experiences using a feedback model. This approach involves analyzing and interpreting data to improve services and provide a more streamlined citizen experience for services like trash collection, public safety and traffic management. By using data to drive decision-making and improve services, agencies can become more efficient, effective and responsive to the needs of citizens.

Building a Resilient Government

Modernizing systems, which is the top priority for building a resilient Government, will improve citizen services, generate cost savings, increase security and provide a more holistic, human-centered Government experience. Many State and Local agencies have outdated systems and need to modernize their infrastructure and business processes to make commerce more accessible and efficient. This involves evaluating areas for improvement, such as replacing fax machines with modernized digital tools and platforms and consolidating multiple systems into a few with all the key functionality they need.

The Ohio Department of Aging (DoA) implemented a tenant of rapid response in which automated systems provide emergency staffing within 24 hours for long-term care facilities and nursing homes during the COVID-19 pandemic and continue to this day. The DoA has also worked on predictive modeling utilizing the Governance, Risk and Compliance (GRC) organizational strategy to identify potential issues and respond proactively. Additionally, it has focused on meeting citizens’ needs through an omnichannel approach, using interoperable data analytics and predictive modeling to provide a more personalized and efficient experience.

Combating Cyber Threats in Government

Public Sector organizations face a range of cybersecurity risks, including data exploitation, insider threats, third party vulnerabilities, ransomware, identity theft and fraudulent access to State Government services. To mitigate these risks, agencies can take steps such as implementing strong access controls, regularly updating software and systems, conducting employee training on cybersecurity best practices and partnering with other organizations to share threat intelligence and collaborate on incident response.

Cybersecurity and Infrastructure Security Agency (CISA) offers several services to assist Government agencies with cybersecurity, including assessments and external dependency mapping. These services are provided at no cost to agencies, as they are already paid for by federal taxpayers. The services include:

  • Cybersecurity assessments: conduct cybersecurity assessments, which can help identify vulnerabilities and areas for improvement.
  • Ransomware readiness assessments: prepare for and respond to ransomware attacks, which are a growing threat to State and Local Governments.
  • External dependency mapping: identify and assess third-party vendors and other external dependencies, which can be a source of cybersecurity risk.
  • Threat intelligence sharing: provide agencies with information on emerging threats and best practices for defending against cyber-attacks.
  • Incident response planning: develop and test incident response plans, which can help ensure a coordinated and effective response in the event of a cyber-attack.

As cybersecurity threats become more sophisticated, it is increasingly critical for individual employees to be aware of the risks and take steps to protect their agency. Following best practices for password management, avoiding suspicious emails and links and reporting any potential security incidents to IT or security personnel is imperative. Agencies should provide regular training and offer resources such as phishing simulations to help employees become more vigilant.

Agencies must continue to leverage technology, utilize resources like CISA, stay up to date on the latest best practices and remain committed to meeting citizens’ needs. By embracing technology innovation, State and Local agencies can create a brighter future for all.

 

Explore more resources and learn more about Carahsoft’s State and Local Roadshow Series: Digital Transformation by visiting our Roadshow portfolio.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s Digital Transformation Roadshow.*

Critical Infrastructure in Cybersecurity: Innovation for the Transportation Sector

In 2021, the presidential administration passed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, aiming to bolster the cybersecurity posture of critical infrastructure in the United States. Various agencies, such as the Transportation Security Administration (TSA), Department of Transportation (DOT) and the Cybersecurity Infrastructure Security Agency (CISA), have been working to continuously improve the security of the transportation sector, which oversees the movement of people and goods across the country.

The Transportation Sector

Within the transportation sector, initiatives have been taken to help fund cybersecurity improvements in an array of subsectors. The transportation sector includes:

  • Aviation: Approximately 450 commercial airports, 19,000 airfields, air traffic control systems, heliports, landing strips, joint-use military airports, sea plane bases, manned and unmanned recreational aircraft and flight schools[1]
  • Highway and motor carriers: Managing roadways, bridges, tunnels and commercial vehicles such as motorcoaches and school buses traffic management systems
  • The maritime transportation system: Approximately 95,000 miles of coastline, 361 ports and over 10,000 miles of navigable waterways
  • Mass transit and passenger rail: Terminals, operational systems, transit buses, monorails, trolleys and rideshares
  • Pipeline systems: Carriers of natural gas, hazardous liquids and various chemicals
  • Freight rail: Major carriers, smaller, active railroads, freight cars and locomotives
  • Postal and shipping: Regional and local couriers, mail management firms, charters and delivery services[2]

Carahsoft Cybersecurity for Transportation Blog 4 Embedded Image 2023Security Directives

Due to persistent threats to the cybersecurity of critical infrastructure, including the transportation sector, the TSA issued multiple security directives for various transportation types, including railways and pipelines. These new directives require agencies to develop approved implementation plans that will help improve cybersecurity resilience, proactively assess the effectiveness of cybersecurity measures and prevent the deterioration of infrastructure.

The directive also requires that entities regulated by the TSA proactively work to implement amendments in the directive, including to:

  • Develop network segmentation policies so that Operational Technology (OT) can continue working, even when compromised
  • Prevent unauthorized access to critical infrastructure systems by enabling control access measures
  • Identify vulnerabilities and implement security patches for operating systems, applications, drivers and firmware to reduce the risk of exploitation
  • Detect malicious software and unauthorized access on Information Technology (IT) or OT systems and report designated incidents to CISA
  • Isolate infected systems from uninfected systems to limit the spread of malware, deny further access and to preserve evidence of compromise[3]

A similar initiative, introduced by the DOT in 2022, aims to improve security awareness amongst employees. All DOT network users are required to complete the DOT’s Security Awareness Training, which is inspired by various federal requirements and the DOT Order on Department Cybersecurity Policy. The training measures employees’ knowledge in cybersecurity, including password and PIN protection and basic security for information systems.[4]

By striving to improve the security posture of the transportation sector, the TSA, DOT and CISA endeavor to protect the safety of the nation.

Cybersecurity Funding for the Future

The DOT has also introduced measures to improve the national security posture. To leverage funding from bipartisan infrastructure, the U.S. Transportation Secretary Pete Buttigieg announced up to $45 million in grants for various University Transportation Centers (UTC). These grants will be utilized to improve the cybersecurity resilience of agencies affiliated with roads, bridges, rail, shipping and airspace. One of these grants will go to Clemson University to lead a consortium focused on cybersecurity research and development. Another of these grants will go to Prairie View A&M University to improve technology in the transportation system, including data related to artificial intelligence and environmental resilience.[5]

Ever since the Colonial Pipeline attack of 2021, as well as other attacks on the cybersecurity of critical infrastructure of the United States, various agencies have done their part to improve the nation’s security. Through CISA’s hard work to create cybersecurity guidelines and cross-sector performance goals and the Federal Government’s generous grants, the nation’s critical infrastructure is postured to increase security and resolve potential crises.

This blog is the final installment in our four-part series, which examines cybersecurity initiatives inspired by The White House’s National Security Memorandum. The first three parts covered the basics of critical infrastructure cybersecurity, an overview of the Water and Wastewater Sector, and an overview of the Electric and Utility Sector.

 

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio. 

 

Resources:

[1] “National Infrastructure Protection Plan,” Transportation Systems Sector, https://www.dhs.gov/xlibrary/assets/nipp_transport.pdf

[2] “Transportation Systems Sector,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector

[3] “Security Directives and Emergency Amendments,” Transportation Security Administration, https://www.tsa.gov/sd-and-ea

[4] “FY 2022 Department of Transportation Security Awareness Training,” Federal Motor Carrier Safety Administration, https://www.fmcsa.dot.gov/safety/fy-2022-department-transportation-security-awareness-training

[5] “U.S. Department of Transportation Funds Innovative Research Providing Vital Training for Next Generation of Transportation Leaders,” U.S. Department of Transportation, https://www.transportation.gov/briefing-room/us-department-transportation-funds-innovative-research-providing-vital-training-next

Critical Infrastructure in Cybersecurity: Modernizing the Electric and Utilities Sector

After the ransomware attack on Colonial Pipeline in 2021 and other notable events, the presidential administration has diligently worked to improve the cybersecurity posture of critical infrastructure in the United States. Several Government agencies, such as the Department of Energy (DOE) Cybersecurity, Energy Security and Emergency Response (CESER), the National Security Agency (NSA), Cybersecurity Infrastructure Security Agency (CISA), and private sector Electric & Utility Industry have joined to refine and boost cybersecurity in the Electric and Utilities sector.

Standards for the Electric and Utility Sector

Since 2021, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the nation. The Memorandum specifies that the Electricity Subsector was the pilot effort in its Initiative. In acknowledgement of the Memorandum, at least 150 electric utilities have or will adopt operational technology (OT) and Industrial Control Systems (ICS) security and improved the visibility, detection and monitoring of critical electricity networks. Further reinforcing the memo, in March of 2023, the Presidential Administration announced a national cybersecurity strategy that strives to create a secure digital ecosystem reinforced with the National Cybersecurity Strategy.

Control systems experts that work with DOE CESER, CISA and the NSA have developed a set of ICS security considerations. These considerations aim to enhance and monitor the detection, mitigation and forensic capabilities for OT owners and operators.

The ICS/OT cybersecurity evaluating and monitoring technology guidelines are recommendations rather than mandates. They include but are not limited to:

  • Building technology for ICS networks with integration compatibility for ICS protocols and communications
  • Adding sensor-based continuous network cybersecurity monitoring, detection and facilitation of response capabilities for both ICS and OT
  • Creating a collective defense capability framework for software so that Federal Government partners and trusted organizations can share insights and detections
  • Utilizing passive deployment and isolation technologies to protect sensitive information
  • Securing technology against access credential misuse[1]

These guidelines aim to improve system security and visibility with Government partners.

Carahsoft Cybersecurity for Utilities Blog 3 Embedded Image 2023Financing the Security Movement

To help fulfill the National Security Memorandum promise, the current administration has released the Bipartisan Infrastructure Law, which authorizes up to $250 million to enhance the cybersecurity resilience of rural, municipal, and small private electric utilities. The Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) Program has utilized the law to help improve energy systems, processes, assets, incident response and cybersecurity skills in eligible agencies within the utility workforce. Nearly one in six Americans live in remote or rural communities with inadequate funding and infrastructure for updated technology and modern systems.[2] The RMUC Program pledges financial and technical assistance to help these communities, as well as small investor-owned electric utilities, to improve vital security functions such as operational capabilities and to provide cybersecurity services access and threat-sharing programs.  In August 2023, the program pledged a prize pool of $8.96 million dollars in competitive funding and technical assistance to enable municipal and small investor-owned utilities to advance their training and cybersecurity.[3]

By ensuring secure and reliable power to all customers, RMUC will help finance cybersecurity, as well as help fulfill another of the current administration’s goals of a net-zero carbon economy by 2050.

Cleaning Up Energy

In developing the clean energy sector, the Administration aims to mold the digital ecosystem to be more defensible, resilient and aligned with American values. This strategy will invest in the future by defending the energy sector and reinforcing clean-energy critical infrastructures.[4] To aid in the battle for clean energy through cybersecurity innovation, Clean Energy Cybersecurity Accelerator (CECA) will make cybersecurity accessible via collaboration with public and private expertise. To do so, CECA will assess all ICS assets that are connected to a utility’s infrastructure. Any ICS with potential wide-reaching impact is evaluated against physical and virtual attacks in a test lab, allowing CECA to mend any security holes. Aiming to achieve carbon-free electricity by 2035, the DOE has announced hundreds of funding opportunities, including funding for the Fossil Energy and Carbon Management (FECM) office.[5]

Through the collaboration of several key Government agencies and the tech industry, the Electric and Utilities sector is on the way to being secure, reliable and accessible to all.

The first two parts of this four-part blog series covered the basics of critical infrastructure cybersecurity, as well as an overview of the Water and Wastewater Sector. Following this third part, the fourth and final blog will dive deeper into the Transportation sector.

 

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Sources

[1] “Considerations for ICS/OT Cybersecurity Monitoring Technologies,” Office of Cybersecurity, Energy Security and Emergency Response, https://www.energy.gov/ceser/considerations-icsot-cybersecurity-monitoring-technologies

[2] “Biden-Harris Administration Launches $250 Million Program to Strengthen Energy Security for Rural Communities,” Department of Energy, https://www.energy.gov/articles/biden-harris-administration-launches-250-million-program-strengthen-energy-security-rural

[3] “New Prize Supports Rural and Municipal Utilities in Strengthening Cybersecurity Posture,” NREL, https://www.nrel.gov/news/program/2023/new-prize-supports-rural-and-municipal-utilities-in-strengthening-cybersecurity-posture.html

[4] “Fact Sheet: Biden-Harris Administration Announces National Cybersecurity Strategy,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

[5] “Funding Notice: Critical Materials Innovation, Efficiency and Alternatives,” Energy.gov: Office of Fossil Energy and Carbon Management, https://www.energy.gov/fecm/funding-notice-critical-materials-innovation-efficiency-and-alternatives

Four Lessons I Learned from My Company’s Response to the SUNBURST Attack

Saturday, December 12, 2020, is a day I’ll never forget. That was the day I learned nation-state threat actors had exploited our software in what would later be known as SUNBURST. Because it’s been written about thousands of times before, I won’t rehash the particulars of the event itself here. Instead, I’d like to share four lessons I learned about how to respond to a large-scale cyberattack.

1. The first days: Preparation helps control the chaos

I often refer to the days immediately following December 12, 2020, as “controlled chaos.” The chaos portion is self-explanatory, but what about the “controlled” part?

Simply put, we were in control the entire time, no matter how chaotic things seemed, because we’d prepared for such an incident. We ran tabletop exercises, planned for different scenarios, mapped out hypothetical intrusions, tested our response methods, and looked for and plugged potential security holes. We also built an incident response team comprised of representatives from across the company. It included members from our security, legal, marketing, IT, and engineering teams, and our board of directors.

As you plan your threat response, consider the following:

  • Do you have a cybersecurity incident response playbook?
  • Have you performed tabletop exercises and run various attack scenarios?
  • Do you have the right people on the incident response team—a good mix of strategic and tactical expertise?
  • Do you have ways to contact people, even on the weekend (or during a pandemic)?
  • Do you have a list of backup contacts in case someone isn’t available?
  • Do you have alternative communication methods established in case you cannot trust your existing ones?

2. The initial weeks: Separating teams creates an agile and efficient response

SolarWinds Attack Response Blog Embedded Image 2023

We quickly learned we needed to split our team into different groups for an agile and efficient response. Thus, one big team became multiple smaller teams, each overseen by leaders within their respective organizations (i.e., the legal team was led by our general counsel, the engineering team by our head of engineering, and so forth). These teams would work independently, then reconvene each evening to share what they learned, discuss solutions and ideas, and so on.

Having different teams allowed individuals to focus on each facet of the response. For example, engineering could focus on how the attack affected our build while IT investigated how the attackers got in. The communications team created responses for customers, partners, and the press, and what ultimately became the government affairs team devised a plan to contact various government agencies.

We also learned organizing these teams was impossible without a third-party “quarterback.” So, we brought in an external organization to coordinate our teams’ work. They set up meetings and ensured everyone was on the same page and information was being shared.

As you coordinate your teams, ask:

  • Do we have a plan in place to get teams together?
  • Do we have a third-party “security helper” on call or retainer? (This is often a good insurance policy)
  • Do we have enough teams to cover every aspect of our business?

3. The following weeks and months: Unbiased partners help amplify the truth

At the time, there was a lot of misinformation floating around. We were being outnumbered, out-marketed, and out-communicated. And unfortunately, social media made misinformation spread like wildfire—and has helped it be equally hard to extinguish.

To help, we partnered with reputable and experienced organizations like the Cybersecurity and Infrastructure Agency (CISA), Krebs Stamos Group, and others. The organizations performed forensics while amplifying the truth about the attack, helping people understand this was not just an isolated incident.

Amplifying the truth was the only agenda our partners had. Sadly, that’s not the norm. I discovered many organizations out there want to promote their brand or have ulterior motives. Fortunately, the organizations we worked with had no such baggage.

Indeed, they allowed us to focus on ensuring our customers were in the right state. We wanted to be there to answer their questions, assure them, and, most of all, make sure they were secure and protected. Our partners helped us block out the noise so we could focus on helping our customers.

To summarize:

  • Bring in the correct partners and add new partners as necessary
  • Watch out for hidden agendas
  • Prioritize what’s most important to you (For us, our customers were our top priority)
  • Don’t spend time responding to every inaccuracy; it will only distract you from your priorities
  • Stay focused

4. The final months: Going above and beyond leads to an exemplary outcome

As the months wore on, I remember a colleague telling me, “If you’re going to come out of this, you have to be special. It won’t be enough just to fix the issue. You need to really go above and beyond.”

As it turns out, we fixed the issue—but did much more than that. We found the source for SUNBURST and made it publicly available. We testified before the U.S. House and Senate. We implemented assistance programs to help our customers. We held briefings with the FBI and other global law enforcement agencies.

We ensured the world knew what we were doing and why we were doing it. In being transparent, we were helping others understand what we went through so they could better protect themselves. It’s not enough to be transparent, of course. To get through it and come out stronger, we needed to have products and services people love and enjoy using, which leads me to three final recommendations:

  • Be open and honest throughout the entire process
  • Communicate early and often—not just to your customers, partners, and employees but to the world
  • Make the type of products you would want them to use, and make them Secure by Design

The months have turned into years. The tenets of transparency and humility have served us well. The SUNBURST incident has turned into a catalyst for good. Supply chain security is now front of mind for many. Executive orders and cyber security strategies are leading us towards attestation for software security. Executive and boardroom conversations have security as a necessary topic, and the security defenders of the world are being looked upon for guidance in managing cyber risk.

The investigation into SUNBURST formally concluded in May 2021—six months after the attack was first uncovered. But I like to think our response to the attack will live on for much longer. Because what started as a dark day in December 2020 made us a stronger, more resilient, and better company. I hope the lessons I learned can help you do the same.

Contact our team today to learn more about how SolarWinds can support your organization’s software and cybersecurity mission.

Critical Infrastructure in Cybersecurity: Initiatives for The Water and Wastewater Sector

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. One major part of critical infrastructures, the Water and Wastewater Systems Sector, plays a vital part in daily life.

The first part of this four-part blog series covered the basics of critical infrastructure cybersecurity. This is the second part, and subsequent blogs will dive deeper into the electric, utility and transportation sectors respectively.

Carahsoft Cybersecurity for Water and Wastewater Blog 2 Embedded Image 2023The Water and Wastewater Sector in the United States

The Water and Wastewater Systems Sector is a critical infrastructure sector focused on water and wastewater sources and the protection of such sources.

This sector is one of the United States’ critical infrastructures: a physical and/or cyber asset that is so vital that their destruction would have a debilitating effect on society, whether physical, economic or safety related. While the water and wastewater industry is vulnerable to physical attacks it is also in jeopardy to cybersecurity attacks, as the sector increasingly relies on internet of things devices, automation, sensors, data collection, network devices and analytics software.[1] Recent water infrastructure attacks, such as the login breach that affected water treatment programs in the San Francisco Bay Area, or the breach to the industrial control systems (ICS) in Oldsmar, Florida, demonstrated how easy it was for foreign threats to not only hack critical infrastructure, but to shake the public’s confidence. While Industrial Control Systems owners and operators manage their own security, federal agencies seek to protect ICS technologies from potential exploitations that pose existential threats to the public or US property.

The Initiative to Improve Cybersecurity for Critical Infrastructure

To combat potential threats, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the Nation. The memorandum mentions the Water and Wastewater Systems sector by name in section 3a, spearheading the path for the government to act against threats. By working directly with critical infrastructure stakeholders, owners and operators, the White House will establish baseline cybersecurity goals and technology that facilitate threat visibility and detection so that the government and respective industry may take immediate action against any breaches.[1]

The EPA Initiative

As a part of the National Security Memorandum, the Environmental Protection Agency (EPA), a federal agency in charge of risk management for environmental health, announced the Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan to join in protecting water systems from cyberattacks. This 2022 plan focuses on supporting the early detection and expulsion of cyber threats against the water sector. A few of its action points include:

  • Creating a task force of water sector leaders
  • Adding new projects that demonstrate and implement the adoption of incident monitoring
  • Improving the process of information sharing and data analysis
  • Providing technical support to water systems[2]

With this properly implemented, the Water and Wastewater Systems sector can survive a cyber-event with no loss of critical function. The Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity performance goals, a set of voluntary goals released in accordance with the National Security Memorandum, are broadly applicable to critical infrastructure sectors, including the water and wastewater sector. Industries can utilize these collaborative cybersecurity government resources to improve their safety.

A Unified Initiative

As the world becomes increasingly more interconnected with networks and the internet, cybersecurity grows in importance. To protect one of the most vital US infrastructures, water and waste, federal agencies have come together to with initiatives to encourage agencies to implement strong security practices to protect US environments and the public.

Check out the first part of our series on cybersecurity infrastructure. The third installment of this series will cover best cybersecurity practices in the electric utility sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

 

Resources:

[1] “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

[2] “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector,” United States Environmental Protection Agency, https://www.epa.gov/newsreleases/epa-announces-action-plan-accelerate-cyber-resilience-water-sector

The Basics of Cybersecurity for Critical Infrastructure

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. To prevent a national crisis, the administration launched an effort to improve cybersecurity across critical infrastructure sectors. The first part of this four-part blog series will cover the basics of critical infrastructure cybersecurity. Subsequent blogs will dive deeper into the Water and Wastewater, Electric and Utility and Transportation sectors respectively.

Carahsoft Cybersecurity for Critical Infrastructure Blog 1 Embedded Image 2023Realities of Critical Infrastructure Environments

Increasing Industrial Control Systems (ICS) security ranks is a top priority to protect critical US infrastructure and national security. ICS is an information system that is used to control industrial processes such as manufacturing, product handling, production and distribution. These information systems can face a variety of threats from foreign and national bad actors who aim to gather intelligence and disrupt critical functions. With evolving technology, ICS operators must ensure that they implement new cybersecurity functions when connecting Operational Technology (OT) and Internet of Things (IoT) devices to Information Technology (IT) systems.

Best security practices for ICS include:

  • Restricting logical access to the system’s network and activity through protections such as firewalls to pause network traffic
  • Implementing unidirectional gates
  • Restricting physical access to the ICS devices and network to avoid disruptions to the system’s functionality
  • Securing all ICS individual components
  • Protecting against unauthorized data changes through network oversight
  • Having a response plan for potential incidents[1]

CISA’s Cybersecurity Performance Goals

Section 4 of the National Security Memorandum required the Department of Homeland Security to create baseline cybersecurity guidelines.

To further advance this, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of initiatives for agencies to implement that would strengthen their security systems. Every day, CISA works with ICS asset owners and operators to help them identify, protect against and detect cybersecurity threats, as well as to enhance ICS technical, analytical and response capabilities. CISA is working hard with critical infrastructure organizations to improve on the common issues they see, including:

  • Without basic security protections and foundational measures, critical infrastructure systems are vulnerable to exploit by methods that are easily preventable.
  • Limitation of resources continues to be a challenge for small- and medium-sized organizations.
  • There are inconsistencies in the standards for cyber maturity across the various critical infrastructure sectors, leaving security gaps that can be exploited.
  • Cybersecurity in IT systems are prioritized, leaving OT systems overlooked and outdated.

CISA offers a wide array of resources to help critical infrastructure organizations. These include the 2022 Cybersecurity Performance Goals—the CPGs. The CPGs are intended to be both voluntary and not comprehensive. It is not a mandated act for agencies to implement, nor does it consist of every helpful cybersecurity practice for every organization. Rather, they are intended as a beginner guideline that can be communicated to a non-technical audience. The CPGs were set as a baseline set of cybersecurity practices that are broadly applicable across critical infrastructure and have known risk-reduction value for IT and OT owners. And lastly, the CPGs stand out from other control frameworks by not only considering practices that address risk to individual entities, but also the aggregate risk to the nation.[2]

The Cross-Sector Cybersecurity Performance Goals provide a set of IT and OT cybersecurity practices that will help organizations increase cyber resilience in their Critical Infrastructure systems. CISA has organized the practices into 8 categories:

  • Account Security
  • Device Security
  • Data Security
  • Governance and Training
  • Vulnerability Management
  • Supply Chain / Third Party
  • Response and Recovery
  • Other

In March 2023 CISA released and updated version of the CPGs to include a key updates from the October 2022 guidelines.

  • The CPGs have been reordered to fit the NIST CSF functions, and accompanying documents have been adjusted to reflect this.
  • The Multifactor Authentication (MFA) goal has been updated to reflect the most recent CISA guidelines.
  • To aid in organizations’ recovery planning, CISA added a goal based around GitHub feedback.
  • There were slight changes made to the glossary to not only reflect the previously listed changes, but to acknowledge additional stakeholders who’ve contributed to the guidelines.

To better connect with the greater community, there are now additional opportunities to provide input on the goals CISA discussion page. CISA welcomes feedback from partners in cybersecurity and critical infrastructure communities.

Check back to read our second installment of this critical infrastructure series that will cover the best cybersecurity practices in the water and wastewater sectors.

 

To learn more about protecting agencies against cyber-attacks, visit Carahsoft’s Cybersecurity Solutions Portfolio.

 

Resources:

[1] “Recommended Cybersecurity Practices for Industrial Control Systems,” CISA, https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf

[2] “Cross-Sector Cybersecurity Performance Goals,” CISA, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals