DAFITC Recap: DoD cyber experts emphasize ZTA and RMF reform

October 13, 2022 by Leave a comment

By Ryan Nelson, Market Intelligence Manager

When it comes to cybersecurity, look for the DoD to emphasize Zero Trust Architecture (ZTA) as the branches push for reform to the Risk Management Framework (RMF), among other hot topics.

At the recent Department of the Air Force Information Technology and Cyberpower 2022 conference, increased focus on ZTA and RMF topped the list of cybersecurity concerns across the DoD. According to a panel of cybersecurity experts, other top-of-mind topics included the Cyber Security Maturity Model and the need for a better articulated policy for cybersecurity overall.

The panel included cybersecurity experts across the DoD, including:

  • David McKeown – Deputy Chief Information Officer for Cybersecurity and the Chief Information Security Officer for Department of Defense (DoD)
  • Alvin “Tony” Plater – Director of Cybersecurity for the Department of Navy Office of Chief Information Officer (OCIO)
  • Brigadier General Jan C. Norris (USAR) – Deputy Chief Information Officer, Department of the Army Office of the Chief Information Officer (OCIO)
  • Scott M. St. Pierre – Deputy Director Enterprise Networks and Cybersecurity Department of the Navy (OPNAV N2N6D)

As mentioned at the outset, panelists generally agreed that all branches of service need to move away from perimeter security to a Zero Trust Architecture (ZTA). The panelists noted the DoD released a plan in July for Zero Trust Reference Architecture.

Read more of this post

Filed under Market Intelligence, Sales Tagged with , ,

New Requirement for Software Deliverables to Comply with NIST 800-218

October 12, 2022 by 1 Comment

By Skyler Handl, Corporate Counsel, Public Sector

On September 14, 2022, OMB took a substantial step forward in implementing EO 14028 Improving the Nation’s Cybersecurity by issuing memorandum M-22-18. This memorandum requires agency leaders to comply with NIST Secure Software Development Framework (SSDF), SP 800- 218,3 and the NIST Software Supply Chain Security Guidance with regards to third-party software in agency information systems. This applies to software developed or modified by major changes after September 14, 2022, regardless of whether the software is a commercial product or COTS item.

How does this impact your business?

Read more of this post

Filed under Contracting, Public Policy, Sales Tagged with , ,

EO 14028 uncertainty offers opportunities in event logging, zero trust, Part 2 of 2

July 6, 2022 by Leave a comment

By Ryan Nelson, Market Intelligence Manager

Uncertainty at the agency level about what constitutes compliance with EO 14028’s requirements regarding event logging (EL) and zero trust architecture (ZTA) offers vendors with those technological capabilities an opportunity to support agencies as they try to meet the demands of the order.

In the first part of this two-part series, we looked at event logging. This time we’ll turn our attention to ZTA.

As mentioned in our first installment, agencies have requested significant funding for the zero trust architecture and event logging requirements in the Executive Order, typically to the tune of $25 million per agency to achieve both goals.

Read more of this post

Filed under Market Intelligence, Public Policy, Sales Tagged with , , , , ,

EO 14028 uncertainty offers opportunities in event logging, zero trust (Part 1 of 2)

June 30, 2022 by Leave a comment

By Ryan Nelson, Market Intelligence Manager

The Executive Order on Improving the Nation’s Cybersecurity, along with timelines and compliance guidance from the Office of Management and Budget (OMB), is causing some confusion among agencies as to what actually constitutes compliance. Agencies have requested significant funding for zero trust architecture (ZTA) and event logging (EL) requirements in the Executive Order, often around $25 million per agency to achieve both goals.

Vendors that can help agencies comply with the order and meet OMB’s timelines will be of extreme interest to these organizations.

Background

Signed on May 12, 2021, EO 14028 contains specific directives to achieve improve agency visibility on network activity and cybersecurity. The Office of Management and Budget (OMB) then released clarifying guidance in memos to define what agencies must accomplish. These include:

  • OMB 21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents
  • OMB 22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

EO 14028 requires agencies to determine their strategy for achieving a zero trust architecture within 60 days of release, while OMB 22-09 requires specific security goals be achieved by the end of FY24.

Read more of this post

Filed under Market Intelligence, Public Policy, Sales Tagged with , , , , ,

FITARA Scorecard changes: What you need to know

June 1, 2022 by Leave a comment

By Tara Franzonello, Program Development Manager

How will changes to the Federal Information Technology Acquisition Reform Act affect government agencies and OEMs?

On Jan. 20, 2022, the Subcommittee on Government Operations discussed FITARA, the Modernizing Government Technology Act, and the Federal Information Security Modernization Act of 2014. The purpose was to consider how to modernize the FITARA Scorecard, since many agency grades have remained stagnant. 

Rep. Gerald E. Connolly, chairman of the Subcommittee, suggested that lack of progress was because of the methodology used to calculate metrics. Connolly believes there should be new ways to hold agencies accountable for IT modernization, including moving to the cloud.

Read more of this post

Filed under Market Intelligence, Sales Tagged with , ,

CMMC: Get ahead by doing the bare minimum

May 12, 2022 by Leave a comment

By Ryan Nelson, Market Intelligence Manager

If you’ve been involved in federal sales for any time at all, you know that government cybersecurity professionals have been asking – pleading, in some cases – for vendors to “bake-in” risk management into their proposal. And while the industry does seem to be inching in that direction, it’s still a topic of great concern among agency IT leaders.

That’s why, if you really want to set yourself apart in federal sales, you need to do the bare minimum, and build your proposals with an eye toward compliance with Cybersecurity Maturity Model Certification 2.0. By doing the bare minimum, you’ll actually stand out from your less motivated competition, and stand a better chance at having your proposal come out on top.

At a recent AFCEA TechNet Cyber show in Baltimore, a panel of cyber experts was once again bemoaning this seeming lack of cooperation with industry’s compliance with cybersecurity directives.
CMMC 2.0 is the latest iteration of the cybersecurity certification, which is aimed at protecting the federal infrastructure from complex cyberattacks. It’s intended to cut red tape for small- and medium-sized businesses and help DoD and industry work together to address evolving cyber threats.
TechNet panelists (everyone from the senior tech advisor for the Operations and Infrastructure Center at DISA to the Army CIO cybersecurity director) were adamant about one thing: CMMC risk mitigation needs to be written into every single proposal.

Read more of this post

Filed under CMMC, Market Intelligence, Sales Tagged with , ,

How TMF helps agencies fund IT Modernization

March 10, 2022 by Leave a comment

By Tara Franzonello, Program Development Manager

Improved cyber security is a priority for government agencies, which is why IT Modernization products and services are becoming so important. Unfortunately, agencies may not have sufficient funds for mission-critical IT.

That’s where the Technology Modernization Fund (TMF) comes in.

TMF bridges the gap in IT Modernization between what agencies want and Congress expects. In the last several months alone, the TMF has approved seven new projects totaling over $300M in new funding.

To help address immediate security and capability gaps, suppliers must have a better understanding of the TMF. Agency customers will be better positioned for TMF money if you can explain how products and services map to TMF priorities, and how they provide solutions to pressing IT issues. 

Shaping the TMF proposal

TMF is an “innovative funding vehicle” authorized by the Modernizing Government Technology Act of 2017. It provides agencies with resources to secure systems and data, and to deliver services to citizens.

The Technology Modernization Board of TMF evaluates project proposals, provides funding recommendations, and monitors progress and performance of approved projects. Project proposals are submitted through a two-phased approval process – an Initial Project Proposal (IPP) and a Full Project Proposal (FPP). 

Read more of this post

Filed under Market Intelligence, Sales Tagged with , , ,

StateRAMP is here to stay. Are you ready?

March 3, 2022 by Leave a comment

By Ceren Öney, SLED Market Intelligence Manager

Formal adoption of StateRAMP into IT procurement policies is rapidly increasing. Last year, we encouraged vendors to put StateRAMP on their radar screens. Since then, nearly 200 government members representing 33 states have joined the membership.

For service providers selling into state, local, and education institutions, now is the time to ensure that your cloud security is compliant with StateRAMP requirements.

While StateRAMP itself may still be a few years from being a household word, that doesn’t mean that state and local governments have been sitting idly by. The move toward better monitoring and certification of state, local and education network security has been going on for years, with two states at the forefront.

Arizona and Texas introduce state-specific frameworks

In September 2021, Arizona CIO J.R. Sloan announced the state will “test-drive” StateRAMP over the next year. Sloan, StateRAMP President and founding board member, had previously introduced AZRamp, Arizona’s Risk and Authorization Management Program. Arizona’s move to test StateRAMP doesn’t come as a surprise and further solidifies Sloan’s confidence in the program.

Meanwhile, effective January 1, 2022, Texas mandates state agencies to only enter or renew contracts for cloud offerings compliant with the Texas Department of Information Resources’ (DIR) own security framework, TX-RAMP.

Rising ransomware attacks targeting state and local governments, schools and colleges increased the pressure to strengthen cybersecurity postures and protect against incursions by bad actors. Coupled with the shift to digital services due to COVID-19’s disruptions and federal funding available under the Infrastructure Investment and Jobs Act and the American Rescue Plan Act, considerable emphasis is being placed on cyber security now more than ever.

Other states adopt the StateRAMP framework

For most states, like North Carolina and Georgia, creating a state-specific framework is too laborious and inefficient. Adopting the established StateRAMP framework makes the initial risk assessment, continuous monitoring and management more seamless and easier.

Read more of this post

Filed under Market Intelligence, Sales, SLED Tagged with , , , , , ,

The Fed’s EDR focus will unlock opportunities in cyber defense

January 26, 2022 by Leave a comment

By Amanda Mull, Contract Specialist

The cybersecurity of the federal government is constantly under attack.  A recent FISMA report from the Office of Management and Budget noted that in FY2020, agencies reported 30,819 cybersecurity incidents to the U.S. Computer Emergency Readiness Team. The variety of attack vectors continues to evolve, creating a dynamic threat landscape.

The government is addressing this challenge by mandating Endpoint Detection and Response (EDR) tools. Companies that can offer these tools and capabilities will be well-positioned to build their federal customer portfolio.

EDR is an integrated security solution that detects threats by combining real-time continuous monitoring and collection of endpoint data with rules-based automated responses and analysis capabilities. The data collected helps determine system security. Evaluation and machine analysis of the data provides coordinated detection of threats and conditions that elicit programmed responses, including follow up via human notifications and further actions to mitigate any potential or actual threats. 

EDR initiatives and Approved Product listing

On January 10, the Cybersecurity and Infrastructure Security Agency announced an expanded and revised EDR technical capability definition and new requirements for adding EDR items to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program’s Approved Product List.

The federal EDR initiative includes a CISA dashboard to record data collected from all federal executive agency and department information systems. The dashboard metrics are intended to provide an overall federal cyber threat analysis. OMB and other federal actors plan to use the dashboard metrics to evaluate vulnerabilities and make budgetary decisions to fund cybersecurity improvements.

Agency EDR responsibilities and FISMA updating

Expectations for agency engagement are high. EDR implementation is mandated, and agencies must continue to develop and mature their EDR solutions – along with continued reporting of endpoint data to the coordinated CISA federal dashboard.

Read more of this post

Filed under CDM, Contracting, Sales Tagged with , , ,

Cybersecurity Opportunities within the Infrastructure Investment and Jobs Act

January 17, 2022 by Leave a comment

By Gabrielle Perea, Senior Market Intelligence Analyst

With the signing into law of the Infrastructure Investment and Jobs Act, significant funding has been allocated in support of highways, highway safety, and transit programs, including cybersecurity provisions. Cybersecurity providers have a significant opportunity to position their offerings as tools to help with cybersecurity provisions and opportunities detailed in the IIJA.

The IIJA provides $1.9 billion for cybersecurity, with a $1 billion grant program to assist state, local, and tribal governments to guard against cyberthreats and modernize systems, especially critical infrastructure. These funds will be disbursed by the Federal Emergency Management Agency over the course of 4 years, beginning in 2022, with disbursement guided by the Cybersecurity and Infrastructure Security Agency.

Read more of this post

Filed under Market Intelligence, Sales Tagged with , , ,

Older posts

%d bloggers like this: