Cybersecurity Spending Continues in State Government

By Rachel Eckert, SLED Manager

By now, most of us are aware of the budgetary restrictions many states will be under due to reduced revenue collections. Arkansas will experience cuts of about $250 million in the next fiscal year. Utah could see budget cuts up to 10%, while Vermont may see budget cuts of up to 25%. This will most likely restrict the number of new projects, but one area many state CIOs expressed continued support for is cybersecurity.

During recent round table discussions hosted by NASCIO, budgets and budget cuts were top of mind for CIOs as they shared top priorities for the coming fiscal year. Many stated that they were continuing with their initiatives as best they could, balancing funding with requirements. Initiatives include projects like service digitization, automation, customer relationship management, and in many cases, improving cybersecurity frameworks.

Some states are planning to leverage funding they receive through the CARES Act for technology, while others are trying to find alternative ways to finance new and ongoing initiatives alike. Despite budget cuts, there is one area continuing to receive CIO attention — cybersecurity. Here’s a snapshot of what’s happening across the country:  Read more of this post

AI Is on the Upswing in State Government

By Rachel Eckert, SLED Manager

When it comes to artificial intelligence, most states are just beginning to uncover its potential.

As I discussed in a recent webinar, AI usage thus far has been mostly experimental. Recent survey data from the Center for Digital Government demonstrates that nearly a third of those surveyed about their current deployment of AI are doing so through proof-of-concept projects.

While widespread use of AI is not taking place, the good news is that the share of states NOT using AI is only 12% — meaning there are far more states open to using AI than not. This is a wide-open field with few standards or common threads from project to project and provides an opportunity for AI vendors to approach state and local governments with their technology. Read more of this post

Cyber Insurance Is Not an IT Strategy

By Rachel Eckert, SLED Manager

Ransomware attacks on our state and local governments’ IT infrastructure are increasing at an alarming rate and our customers are looking at cyber insurance to mitigate risk. But cyber insurance shouldn’t be confused with a sound cybersecurity strategy that guards against attacks in the first place.

Here’s what you need to know about cyber insurance and how you can work with customers to develop cyber strategies that will serve them for the long term. Read more of this post

If You Sell to DOD, Pay Attention to CMMC

By Troy Fortune, Vice President & General Manager

You’ve probably heard that the Department of Defense (DOD) recently released the official version 1.0 of its new Cybersecurity Maturity Model Certification (CMMC 1.0).

This is one of the hottest topics in government contracting right now and immixGroup is following developments very closely. And, it will affect everyone in our industry who sells to DOD – resellers, distributors and OEMs. 

As a quick refresher, this is a cybersecurity standard that all contractors must meet if they want to do business with DOD. As we’ve discussed before in a previous blog, the standards themselves are taken from existing ones. With CMMC 1.0, we now have more clarity on what the 5 levels of CMMC entail: Read more of this post

HAVA Grants Provide Funding for States to Protect Election Systems

By Rachel Eckert, SLED Manager

With just about a year before the general election and eight months before the primaries, the rush is on to identify and mitigate any potential security gaps in election systems!

Our national election system is a very complex network and involves multiple stakeholders including federal, state and local public entities, private companies and citizens. Multiple IT systems and databases that manage and support voter registration, polling books, vote tallying and election night results – are all potential points of vulnerability.

Updating and/or replacing these systems is not cheap, and with already strapped budgets, this strains state and local governments alike. While some governments have already invested in systems upgrades and improvements, many others will be looking for help from the vendor community before the next big general election.

HAVA Grants Fund Election System Upgrades

The good news is that there are funds available to state and local entities in the form of grants from the “Help America Vote Act” – or HAVA. In March 2019, an additional $380M from the federal government was provided to states to help with election security improvements. Each state received a base of $3M with the remainder of the $380M distributed by voting age population. Smaller states typically only received the base $3M, but larger states like California received upwards of $34M. Read more of this post

New Security Requirements Coming to DOD Acquisition in 2020

Lloyd McCoy Jr.Cyber security network concept. Master key connect virtual networking graphic and blur laptop with flare light effectBy Lloyd McCoy, Market Intelligence Manager

Starting next summer, anyone selling IT to the Department of Defense will need to be certified by the Cybersecurity Maturity Model Certification (CMMC) in order to compete for contracts.

The CMMC is a set of security standards that will start appearing in RFIs in June 2020 and will apply to all defense acquisitions by September. The CMMCs will represent security maturity levels and will have five levels, each with their associated security controls and processes. Level 1 will likely be like what we consider basic hygiene, with Level 5 describing the very best in security practices. The level needed will depend on the contract and will be used to determine whether a vendor makes the cut. Details on what each of the levels contain are scant right now but expect more information in the coming months as the Department collects public feedback. Read more of this post

States Improving Cybersecurity Posture Through NGA Partnership

By Rachel Eckert, SLED Manager

The National Governors Association (NGA) recently announced a partnership with states and territories that are looking to enhance their cybersecurity posture through the implementation of key controls to mitigate future attacks.

After a competitive application process, the six states and one territory chosen were Arkansas, Guam, Louisiana, Maryland, Massachusetts, Ohio and Washington. Through a series of workshops between now and the end of the year, NGA, along with their respective homeland security agencies and National Guard units, will coordinate with state agencies, local government and K-12 schools to develop methods of improving existing cybersecurity approaches.

During the workshops, participants will brainstorm new methods to protect critical infrastructure, and vendors may discover new business opportunities. In addition to developing more comprehensive strategies and collaborating with neighboring governments, the participants will be focusing on implementing six key controls outlined by the Center for Internet Security:

Read more of this post

DHS CISO Talks About Authentication, Supply Chain and Internet Regulation

By Lloyd McCoy, Market Intelligence ManagerLloyd McCoy Jr.

At a recent immixGroup vendor demo day, Paul Beckman, CISO at the Department of Homeland Security, touched on several technological challenges and frustrations that concern him – topics ranging from patching to supply chain risk to the inevitability of security regulations surrounding the internet.

“I want to get out of the patching business,” Beckman noted, asking, “why can’t I go to automatic updates?” “I don’t understand why we’re still relying on the selected pushing of patches,” he continued. A decade ago a service patch might have created the “blue screen of death” on machines, Beckman said, so that even today, “the ops side of the house is telling me, ‘what are we going to do if we get a bad patch?’”

“My response to them is that restore capability has matured greatly in the last decade. Something goes bad in the machine, push a button, you’re back to where you were at midnight last night.” Beckman added that technology has advanced to the point where the bad patch argument can be discounted and end points can go to automatic patching.
Read more of this post

Vendor Innovations in Cybersecurity: From Browsers to IoT to Mobile

By Tim Larkins, Senior Director, Market Intelligence and Corporate Development

Threats to network security have evolved and vulnerable attack vectors have expanded – from browsers to mobile devices to the increasingly interconnected appliances that are part of the Internet of Things (IoT). Vendors of cybersecurity solutions are now branching out beyond their initial niches to embrace wider aspects of security.

In immixGroup’s recent panel discussion during Cyber Ops Demo Day held earlier this month, six of industry’s most prominent vendors each described what they were doing to help prevent security breaches in this era of multiple security attack vectors.

Marlin McFate, federal CTO, Riverbed Technology, said his company has broadened its reach beyond network monitoring, application monitoring and user monitoring to security issues ranging from insider threat to exfiltration. Riverbed’s acquisition of FlowTraq has integrated that capability into its visibility solution. The technology allows for security problems to be analyzed from a behavioral perspective, to identify devices that are no longer acting like normal appliances or system users that are not actually part of the organization.

Read more of this post

Government Needs to Shore Up Security Readiness – Before the Next Shutdown

Lloyd McCoy Jr.

By Lloyd McCoy, Market Intelligence Manager

Whether it’s through government shutdowns or cyber threats, the possibility of government having to unexpectedly operate at reduced capacity is greater than ever. While it appears that the recent partial shutdown had minimal impact on security readiness, we should count ourselves lucky instead of expecting such an outcome to be the norm.

With the resumption of full government operations, all agencies, not just those affected, should take stock and partner with industry to shore up their posture in two areas, risk management and AI.

Risk Management

Government agency risk management strategies have traditionally emphasized the threat landscape and vulnerability of attack surfaces. Expect agencies to take a hard look at their risk posture to determine whether they’ve adequately factored in the impact of government shutdowns. This is an area where industry can play a role – helping agencies adjust their security readiness in an environment where reduced operations may become more of a norm.

Work with your government customer or prospect to ensure that proper backup and recovery capabilities are in place, that their systems and networks have the right kind of resiliency and segmentation solutions in place, and that the security personnel are equipped with the right tools to “put out fires” when workforce and capacity levels are compromised.

Read more of this post

%d bloggers like this: