A Data-Centric Approach to Zero Trust for Public Sector

By Derek Giarratana, Supplier Manager

An organization’s data is its most important and valuable asset. This is especially true as organizations continue to move towards data-driven approaches to deliver on their missions and are more actively putting that data to work — and in remote locations no less. This means the need to protect data and maintain its accuracy and integrity is paramount.

In this series, we will explore each of these facets of data security and how it applies to IT challenges currently faced in the public sector. This first installment examines Zero Trust and how a data-centric approach addresses some of the hurdles with which public sector IT leaders struggle.

What is Zero Trust?

Aptly named, a Zero Trust approach assumes nothing internal or external to an organization’s perimeters can be trusted and should, therefore, require additional verification for access. The level of sophistication needed to meet the expectations and requirements of public sector data security lends itself to a Zero Trust model, which prompts data security experts to assess and manage data at the most granular level. With this approach in mind, data security experts are taking a fine-tooth comb to their data and paying close attention to their data management environment.

Read more of this post

What is CMMC?

By Jeff Ellinport, Division Counsel

Although CMMC has been around for more than a year, it never hurts to review what it is and why those who sell into DOD and the rest of the federal government should care.

CMMC stands for Cybersecurity Maturity Model Certification and is a new certification process to measure a company’s ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. CMMC is a way for DOD — and soon after, probably civilian agencies as well — to address intellectual property theft, cybercrime and national security threats of the type evidenced by the recent SolarWinds attack.

Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. government.

CMMC Maturity Levels

CMMC has five maturity levels, with basic cybersecurity hygiene at a Level 1 to very robust requirements at a Level 5. These certification levels reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels build upon each other’s technical requirements such that each level requires compliance with the lower-level requirements and then implementation and documentation of additional processes employing more rigorous cybersecurity practices.

Read more of this post

StateRAMP: An Outgrowth of FedRAMP for SLED

By Troy Fortune, VP & General Manager

Is StateRAMP on your radar screen? If you are a cloud software vendor and trying to sell into the state, local and education market, I encourage you to pay attention.

Modeled after FedRAMP, StateRAMP is gaining traction among many state CIOs. For the last seven years cybersecurity has topped the priority lists for CIOs at the state, local and education (SLED) levels, yet there are no established security standards they have all agreed to.

StateRAMP plans to leverage the existing FedRAMP assessment and approvals processes to help simplify the implementation for government and industry. Logistics for FedRAMP to StateRAMP transitions are still being finalized but vendors should look for the marketplace to launch in Q2 of 2021.

Cyberattacks on the Rise

Cyberattacks in SLED have amped up in recent years and become increasingly sophisticated, targeting sensitive citizen PII data. Many organizations have begun taking steps to protect their databases and systems, but those measures vary widely from state to state and even department to department. The expanded use of cloud-based systems to house and manage critical services like Medicaid and unemployment insurance only increases the risk. Unfortunately, few standards exist for cybersecurity or cloud security, which makes the protection of their sensitive data even more challenging.

Read more of this post

Changes in FITARA 11.0: How You Can Help Agencies Improve Their Scorecards

This past December, GAO made changes to the FITARA scorecard. By tracking these changes, you can help your agency customers improve their FITARA grades and meet mission goals. (Click here to review the latest scorecard.)

The next agency self-reporting period comes in April, with scorecards due in May. Agencies are being pushed to better use IT to meet FITARA objectives, such as cybersecurity and modernizing government technology.

So what does that mean for FITARA compliance? From a flyover perspective, first, the new administration is likely to look more closely at transformation in its policy priorities. Next, the FITARA scorecards will retire categories that have had across-the-board success, and shift focus to the next area that needs improvement.

Here are some of the expected shifts.

Read more of this post

Top Federal Civilian Cybersecurity Trends in FY21

By Jessica Parks, Market Intelligence Analyst

With the recent Solarwinds breach, IT vendors who sell to the government may be wondering about its impact on their customers’ needs. Federal civilian agencies have already made cybersecurity a top priority for FY21, so while the breach by itself will not directly spur significant new initiatives or projects, it still emphasized the urgency of getting defenses up to speed.

With fresh awareness around cybersecurity gaps, there has never been a better time to check on your government customers and help them fulfill their security needs. Read on for a high-level overview of the top 3 trends in federal cybersecurity for FY21.

Read more of this post

Helping States Align the Right Resources to Combat the Opioid Crisis

By Charles Castelly, SLED Market Intelligence Analyst

States are increasingly relying on a multi-pronged, data-centric approach to tackle some of the biggest health crises of our time. The Commonwealth of Virginia, like many other state and local governments is grappling with containing both the current pandemic as well as the ongoing opioid crisis, both of which continue to ravage communities according to Carlos Rivero, Virginia’s chief data officer in a recent podcast interview.

Fortunately, in tackling the ongoing opioid crisis, a few best practices and lessons learned have emerged that industry should take note of when pursuing opportunities here. States like Virginia now realize that a fully integrated and coordinated combination of cloud services, enterprise applications and cutting-edge cybersecurity is most effective for tracking and anticipating where resources are needed most.

Read more of this post

SLED Cybersecurity Opportunities: The “Whole-of-State” Approach

By Rachel Eckert, SLED Market Intelligence Manager

Cybersecurity incidents increase every year, and state, local and education entities are struggling to respond in the face of limited funding and resources.

As I talked about in a recent virtual event, that response is taking the form of a synchronized “whole-of-state” approach to state and local cybersecurity initiatives. In this approach, all stakeholders – state IT, national guard, local law enforcement, local government and schools – are pulled together to develop a cohesive and coordinated response plan. The plan leverages state services, such as incident management, awareness and training, forensics, use of the security operations center and vulnerability management.

The potentially good news here is that additional federal funding may be coming to help states and local governments tackle cyber issues. The House has passed the State & Local Cybersecurity Improvement Act. If enacted as law, this measure will provide some $400M per year for states to coordinate with local governments on a cohesive security plan and response strategy, and to support upgrades to state and local systems.

Here are just a few categories of opportunities to consider, in this new era of SLED cybersecurity: Read more of this post

Top 3 FY21 Opportunities at the Department of Education

By Jessica Parks, Analyst

With another busy year end in the rearview mirror, it’s time to look to FY21. While large agencies such as the Department of Homeland Security and Health and Human Services always attract attention due to their budgets and high-visibility projects, it’s important to remember that other agencies across government also require your assistance to deliver, innovate and economize.

One such agency, the Department of Education, has requested $5 million for FY21 to establish a Working Capital Fund, showing that accelerating IT modernization will be a priority. Read on for the top 3 areas poised for significant investment.

1) NextGen Federal Student Aid (FSA)

Located in the Office of Federal Student Aid, this approximately $1B program seeks to improve the experience of external customers (such as students) in their interactions with FSA. The program covers a myriad of areas, from business process management to cybersecurity to data management and analytics. High on the list for FY21 are mobile solutions, self-service tools (think machine learning and AI solutions) and records and content management.  Read more of this post

How IT Can Help Streamline the Voting Process and Improve Accountability

By Charles Castelly, Analyst

With the presidential election around the corner, citizens are contemplating when and how they are going to vote — in person or via mail-in ballot. This is an unusual year due to concerns stemming from the global pandemic, and with that comes necessary changes for both governments and voters. The outcome of this election will rely heavily on mail-in voting, which presents some unique challenges.

Election accountability is especially crucial this year and with only a few weeks remaining, states are rushing to ensure their systems are up to par and can handle the influx of mail-in ballots expected.

Citizens are demanding accountability in the vote tabulation. Several states have rolled out applications that enable citizens to track their ballots — from request to vote count. However, there are handful of states that do not currently have an online tracking option, such as Connecticut, Mississippi, Missouri, Wyoming and New York. Other states have tracking at a state level but have little to no tracking capability at the county level.  Read more of this post

Cybersecurity Spending Continues in State Government

By Rachel Eckert, SLED Manager

By now, most of us are aware of the budgetary restrictions many states will be under due to reduced revenue collections. Arkansas will experience cuts of about $250 million in the next fiscal year. Utah could see budget cuts up to 10%, while Vermont may see budget cuts of up to 25%. This will most likely restrict the number of new projects, but one area many state CIOs expressed continued support for is cybersecurity.

During recent round table discussions hosted by NASCIO, budgets and budget cuts were top of mind for CIOs as they shared top priorities for the coming fiscal year. Many stated that they were continuing with their initiatives as best they could, balancing funding with requirements. Initiatives include projects like service digitization, automation, customer relationship management, and in many cases, improving cybersecurity frameworks.

Some states are planning to leverage funding they receive through the CARES Act for technology, while others are trying to find alternative ways to finance new and ongoing initiatives alike. Despite budget cuts, there is one area continuing to receive CIO attention — cybersecurity. Here’s a snapshot of what’s happening across the country:  Read more of this post

%d bloggers like this: