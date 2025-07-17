In fiscal 2024, the Cybersecurity and Infrastructure Security Agency issued two emergency directives and two binding operational directives. The National Security Agency issued eight emergency directives and three binding operational directives for national security systems.

CISA’s most recent BOD came in December when it told civilian agencies to take steps to secure cloud services.

CISA wrote, “Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises.”

While NSA’s EOD and BODs aren’t public, the agency warned both intelligence agencies, military services, Defense Department agencies and critical infrastructure providers to take steps to protect themselves from increased nation state attacks, particularly those using “living off the land” techniques. Additionally, NSA offered 10 ways for agencies to keep their cloud services secure.

Both CISA and NSA’s alerts and best practices demonstrate that no matter how much agencies depend on cloud service providers, their responsibility to secure their data and systems must remain at the forefront of their cybersecurity strategies.

Moving to the cloud doesn’t mean agencies can set it and forget it. Most agencies will keep on-premise data centers that require just cyber tools and capabilities just like those they find in the cloud.

Nate Fitzgerald, the head of product management for the Enterprise Security Group at Broadcom, said as agencies get pulled deeper into a hybrid posture, the tools and capabilities that they use will also change.

“I think this means that niche vendors are going to be in the spotlight in a negative way. I think there’s going to be a trend toward buying suites of tools,” Fitzgerald said on the discussion Innovation in Government sponsored by Carahsoft. “I think the pressure will be there to get away from niche vendors because those tend to be the most expensive vendors, even though they often are the best of breed.”

Budget tightening to lead to tough decisions

The reasons for this change is two-fold. First, agencies are realizing the cloud isn’t the solution to every problem. Second, and maybe more important, is the expected reduction in budgets many agencies are expecting in fiscal 2026.

Fitzgerald said if a chief information security officer is facing budget reductions, they have a limited number of options. One would be to reduce the number of employees, which already is happening. Another would be to reduce the amount of money their organization is spending on tools.

“One of the first things they’ll do is look for best of breed vendors who charge a premium, and those are all over the industry. There’s plenty of examples of best of breed vendors who essentially do one major area of the security stack. They may have multiple products, but essentially they cover one area, or maybe they cover like one and a half or two areas, but they’re not a broad vendor,” Fitzgerald said. “So those are the vendors that you can go and say, ‘Okay, this best of breed technology is useful, but is there a suite version of this that I can go to another vendor that offers other products and other control points and capabilities, as well as this one that I currently have in a niche vendor? It may not have every single feature capability that I want, but it still checks the box and overall offers a lower cost.”

He said a good example of this trend is the use of Microsoft defender security tools that come with office and productivity products.

At the same time, agencies have to come to terms with the number of tools they are using. Fitzgerald said too often agencies have bought new cyber capabilities, but haven’t deployed them to their fullest.

“The suite vendors not only offer bundle pricing advantages, but there can be technological overhead advantages as well over the long term of that contract and the reduced overhead,” he said. “The other trend that plays into this is fewer control planes. If I go buy 10 different products, it’s very likely that those 10 different niche products would come with 10 different control planes. So I’ve got to have my team run 10 different log-ons to 10 different consoles, configure those independently and they don’t talk to one another. Typically, they don’t work alongside one another. So the suite vendors like us also offer advantages in that these products actually integrate with one another easily. So if you buy a data loss protection (DLP) product from us, those DLP rules can be applied to your network flows, your endpoints as well as your on-premises and cloud with just one single DLP policy. So there’s some big overhead advantages in the long run as well.”

Understanding true costs of cloud

At the same time, public and private sector organizations are coming to terms with the cost and new complexity of cloud services. Fitzgerald said agencies are realizing there’s a lot of hidden costs just with the transformation of systems and applications to the cloud.

“I think the data sovereignty laws add that extra layer of complexity, whether it’s data sovereignty or just general compliance, it adds additional requirements that likely were not there when the cloud transformation began,” he said. “I think cloud is like a convenience store. It’s actually comes at a premium. You have to remember that you’re offloading your entire operational infrastructure costs to somebody else, and yes, they’ll likely be more efficient at that than you were because they’re servicing multiple organizations. But that doesn’t mean that you’re going to be getting a great bargain by doing that. There is a cost of doing that. So cloud is not necessarily less expensive. In fact, I think it’s often more expensive now it can do things that you can’t do with on-premise technology. So there are some big benefits, like the elasticity, there’s some functionality, in fact, that we built into our cloud products that we just can’t do with our appliance products. But it’s important to note that we’ve continued to invest in both because we see this reality that cloud doesn’t solve all the problems for all companies and organizations in all situations.”

Fitzgerald said these realizations about cloud services just mean agencies have to be more strategic and tactical with their modernization efforts.

He said this is especially true as the cyber threat environment becomes more difficult to defend.

“Probably the scariest things that we’re seeing, especially from nation state actors, which are the most capable actors that are out there, is the trend to attack actually lower on the supply chain,” Fitzgerald said. “It’s really interesting to think about what that means in the federal space and in the private sector. It may mean really small organizations who have smaller security budgets, that have fewer dedicated security practitioners and just spending less time and effort on the problem, may be a soft target.”

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.