Why agencies need private sector partners to help them navigate the cybersecurity EO
August 20, 20213:10 pm
4 min read
This content is sponsored by Microsoft Federal.
President Joe Biden’s recent cybersecurity executive order jumpstarted agencies’ efforts to modernize the government’s IT infrastructure with a set of standards that will enable agencies to proactively address threats and harden the nation’s overall cybersecurity posture. Recent attacks like the SolarWinds incident and the Colonial Pipeline hack have driven home the need for these efforts. But while the executive order provides a series of short-term milestones that agencies...
President Joe Biden’s recent cybersecurity executive order jumpstarted agencies’ efforts to modernize the government’s IT infrastructure with a set of standards that will enable agencies to proactively address threats and harden the nation’s overall cybersecurity posture. Recent attacks like the SolarWinds incident and the Colonial Pipeline hack have driven home the need for these efforts. But while the executive order provides a series of short-term milestones that agencies need to hit, the rapid pace may seem intimidating, and they may want a roadmap they can follow to get to the prescribed end state.
That’s where private sector partners come in. Agencies’ first mission is to serve their constituents, and their focus is rightly on that. So bringing on a private sector partner can take the stress off agencies and allow them to focus on their missions, secure in the knowledge that their partners have a clear vision on how to achieve the goals of the executive order, and are making it their primary mission to help agencies get there.
“One of the things to keep in mind with the cybersecurity executive order is the way it’s constructed really outlines that there’s no silver bullet to securing federal agencies, as federal agencies look to lead the way and really bring industry along to a better cybersecurity posture,” said Steve Faehl, chief technology officer of security for Microsoft Federal. “There are many areas that need improvement, everything from skilling to logging, it could be authentication, strong identity, strong assurance, secure configuration, baselines, each of those items plays a part in the bigger picture of modernizing security.”
That’s why each deadline included in the executive order addresses different areas that agencies need to examine and shore up. When taken in concert, most of the requirements for these deadlines, such as practicing least privilege, network segmentation, and identifying and classifying data, add up to the beginnings of a zero trust strategy.
Private sector partners can help provide proven roadmaps to get to this point, as well as lend their significant experience in approaching not just the technological aspects, but the cultural ones as well.
“To modernize and adopt the best practices outlined in the cyber EO agencies need to focus on two things, I think the first of which is modernizing their policies, their procedures and their internal training,” said Jason Payne, chief technology officer for Microsoft Federal. “Microsoft can help with that through our internal skilling initiatives, as well as workshops and helping agencies train their hunters looking for cyber events. The second way that agencies can improve is by focusing on adopting the right tools that are enabled by artificial intelligence. That artificial intelligence can then in turn help analysts really embrace their capabilities to make them be able to find more signals in the noise in the cybersecurity landscape.”
What many agencies don’t necessarily realize is that they’ve already laid the groundwork for achieving the goals of the executive order. Many already have technologies in place, such as Microsoft 365, that can be adapted or fine-tuned to begin meeting EO requirements and advancing an agency’s cybersecurity posture. This approach not only gives agencies a head start, but can also save chief information security officers time and money.
Aside from fully leveraging technologies they already have, there are a few initial steps agencies can take to begin implementing the executive order. First, they should take a risk-based assessment approach. Agencies need to catalogue existing capabilities to see what can be leveraged, and then prioritize the risks found in the gaps.
Second, agencies should assess their technical debt. It’s possible to layer zero trust controls over some legacy workloads without much effort. But third, agencies should embrace the cloud as much as possible. This will offer new, cloud-based tools for security and telemetry, as well as the capability to develop and deploy applications at mission speed.
While the deadlines set forth in the executive order may seem intimidatingly fast-paced, agencies that find the right partners to guide them through this initiative should be able to achieve these goals and harden their cybersecurity postures without sacrificing the effectiveness of their primary missions.
“When I look at the executive order, I’m reminded of many large government transformations that I’ve seen in the past,” Payne said. “I think the first thing that agencies need to look at when it comes to this executive order is examine all of their existing assumptions. It’s an opportunity to look at the status quo, and really where agencies are today, and where they should be tomorrow. If you need to change a policy, if you need to change a piece of technology, if you need to find additional partnerships, this is the opportunity to do it to meet the end goals of the executive order.”