Beyond Cyber Hygiene

Lloyd McCoy Jr.

By Lloyd McCoy, Market Intelligence Manager

Helping agencies lock the door to keep external threat actors out of IT networks, combined with education and training, can only go so far in protecting government assets. There will always be vulnerability.

Public sector networks, with their treasure trove of sensitive information, face vigorous targeting by nation states and cyber criminals looking to steal anything they can get their hands on. Cyber-attacks remain one of the clear and present threats of our time with an intensity that shows little signs of abating.

So, how can those selling security solutions to government help mitigate threats when good cyber hygiene isn’t enough? Read more of this post

Network Optimization Is a Key Focus of DHS CISO

Lloyd McCoy Jr.

By Lloyd McCoy, Market Intelligence Manager

At a recent summit (sponsored by immixGroup), DHS CISO Paul Beckman, discussed challenges related to network optimization and outlined the steps the agency is taking to ensure both security and operational efficiency.

DHS is taking a close look at its Security Operations Center (SOC) optimization, from maturity standards to contracting. The agency is also looking for “network monetization” through the GSA’s Enterprise Infrastructure Solutions (EIS) contract, in the form of regaining lost workforce hours through automation.

DHS has 16 “loosely federated security operation centers spread geographically throughout the entire country, with varying degrees of maturity.” Beckman’s challenge lies in how to bring them all up to the minimum baseline of security standards.

His first attempt, which focused on consolidation, “didn’t go over too well with my colleagues,” as neither cost effective nor beneficial, Beckman said. That’s when the effort shifted to optimization. Read more of this post

New Security Requirements Coming to DOD Acquisition in 2020

Lloyd McCoy Jr.Cyber security network concept. Master key connect virtual networking graphic and blur laptop with flare light effectBy Lloyd McCoy, Market Intelligence Manager

Starting next summer, anyone selling IT to the Department of Defense will need to be certified by the Cybersecurity Maturity Model Certification (CMMC) in order to compete for contracts.

The CMMC is a set of security standards that will start appearing in RFIs in June 2020 and will apply to all defense acquisitions by September. The CMMCs will represent security maturity levels and will have five levels, each with their associated security controls and processes. Level 1 will likely be like what we consider basic hygiene, with Level 5 describing the very best in security practices. The level needed will depend on the contract and will be used to determine whether a vendor makes the cut. Details on what each of the levels contain are scant right now but expect more information in the coming months as the Department collects public feedback. Read more of this post

DHS CISO Talks About Authentication, Supply Chain and Internet Regulation

By Lloyd McCoy, Market Intelligence ManagerLloyd McCoy Jr.

At a recent immixGroup vendor demo day, Paul Beckman, CISO at the Department of Homeland Security, touched on several technological challenges and frustrations that concern him – topics ranging from patching to supply chain risk to the inevitability of security regulations surrounding the internet.

“I want to get out of the patching business,” Beckman noted, asking, “why can’t I go to automatic updates?” “I don’t understand why we’re still relying on the selected pushing of patches,” he continued. A decade ago a service patch might have created the “blue screen of death” on machines, Beckman said, so that even today, “the ops side of the house is telling me, ‘what are we going to do if we get a bad patch?’”

“My response to them is that restore capability has matured greatly in the last decade. Something goes bad in the machine, push a button, you’re back to where you were at midnight last night.” Beckman added that technology has advanced to the point where the bad patch argument can be discounted and end points can go to automatic patching.
Read more of this post

Government Health IT and the Promise of AI

Lloyd McCoy Jr.

By Lloyd McCoy, Market Intelligence Manager

The government’s health agencies want you to know that they need your help proving out use cases and applications for artificial intelligence and machine learning. That was one of the main takeaways from last week’s Federal Healthcare Day where the Department of Veterans Affairs and National Institutes of Health convened with industry partners to talk about advancements and opportunities.

Artificial intelligence adoption in government has the potential to spread faster than in the private sector. Because of the government’s scale, spend (about $1 billion will be spent on health-related artificial intelligence research this year) and breadth, a success story in one agency can spread rapidly to other areas.

There are three main areas where government hopes to take advantage of artificial intelligence:

I. Managing the Data Tsunami

‘Data tsunami’ is a term you may have heard before within the context of big data. The healthcare sector is probably a close second to the military in terms of data generation and consumption. NIH funds hundreds of thousands of researchers, each with their unique computing and storage needs. Making sense of large data sets in hybrid cloud environments is a massive undertaking and NIH wants to leverage AI so that the data and insights are accessible, interoperable and reusable. Given the fluid nature of both the research and clinical side of health, it’s hard to model what the demand is going to be. If you’re in the analytics space, note that the health agencies want to partner with vendors who are in it for the long haul. Show that you can handle uncertainty in storage and data consumption.

Read more of this post

AI and Analytics: Must Haves for Our Naval Force

Lloyd McCoy Jr.

By Lloyd McCoy, Marketing Intelligence Manager

There’s a real sense of urgency in the Navy.

Increasingly, at conferences (most recently at AFCEA West) and in sidebar conversations, I hear maritime leaders talk about “Great Power Competition” and how we’ve reached an inflection point in terms of how dispersed our fleet can reasonably be while maintaining effectiveness with current capabilities.

The mantra “do more with less” has been around since time immemorial but there’s a widespread belief that while the U.S. military will always have the advantage in air, land and sea, artificial intelligence (AI) looks to be an equalizer. There’s also the belief that we are only at the beginning of the adoption and development cycle for AI.

How do you fight a war against an adversary that can predict what you are going to do before you even know? Ladies and gentlemen, we are in an AI arms race. Read more of this post

An Introduction to Security Frameworks

Lloyd McCoy Jr.By Lloyd McCoy, Market Intelligence Manager

A key takeaway from RSA Conference 2019 was the importance of security frameworks. They encompass security best practices and help government agencies keep their heads above water amid all the cyber threats that are out there. When breaches do occur at the federal level, the post-mortem usually reveals some deficiencies in compliance.

For the federal government, the National Institute of Standards and Technology (NIST) is the primary source for security standards. The Office of Management and Budget (OMB) requires that agencies comply with NIST guidance. If you sell technology to the government, it’s important that you be familiar with security frameworks, because they play a big factor in why agencies buy what they buy in terms of security tools and services.

Security frameworks can largely be split into three categories: Control, Program and Risk.

The purpose of control frameworks is to identify a baseline set of controls, assess the state of technical capabilities, prioritize the implementation of controls and develop an initial roadmap for the security team. It’s important to become familiar with NIST SP 800-53, an important publication that catalogs security and privacy controls, because it helps agencies measure their impact. Government departments and agencies use NIST SP 800-53 to inform their purchasing decisions, specifically around incident response, configuration management, risk assessment and access control solutions.

Read more of this post

%d bloggers like this: