How Federal Cybersecurity Standards Reach State, Local Governments

This article is an excerpt from GovLoop’s recent report titled “Your Guide to Key Advancements in Government Cybersecurity.” Download the full report here.

Government agencies have long battled with how to operate efficiently while innovating effectively for the future. Technology advancements have made iterating through experimentation relatively inexpensive, helping learning and innovation occur faster.

Cybersecurity is often viewed as a hindrance to experimentation and innovation. The federal government has recently invested significantly in modernizing cybersecurity best practices in frameworks applicable to all its agencies in key areas, including procurement, configuration management and continuous information technology monitoring.

State and local governments can now accelerate their innovation and learning by aligning their cybersecurity approaches more closely with their federal counterparts. Such frameworks provide federal, state and local agencies with a common roadmap to more robust cybersecurity nationwide.

“Everybody recognizes that cyber events are happening,” Shawn Wells, Red Hat’s Chief Security Strategist, U.S. Public Sector, told GovLoop during a recent interview. Red Hat is a leader in secure, open-source software solutions. “Regardless, not every agency can stand up a cybersecurity operation and sta it.”

Agencies must subsequently determine what tools, techniques and practices can help fill that gap and decide how insights can be shared across government. One of the biggest barriers is often costs. “Three immediate opportunities for reuse include Common Criteria, which helps shi cybersecurity into technology procurements, the National Institute for Standards and Technology’s (NIST) National Checklist Program (NCP), which provides secure configuration guidance and government tools such as the Homeland Security Department’s Automated Indicator Sharing program (AIS),” Wells said.

The Federal Aviation Administration (FAA), for example, was once burdened with verifying security system components after receiving them from system integrators. FAA Information Assurance teams would often find the solution lacking after issuing contracts during final acceptance testing, with money already spent and little time for addressing cybersecurity concerns.

When the FAA released contracts to build a centralized security dashboard, it included clauses restricting system integrators to Common Criteria Certified components. Common Criteria is an internationally recognized process for evaluating security features of commercial technologies. Once the technologies pass an audit by a NIST-validated laboratory, they are listed in the federal “Product Compliant List.” Agencies then have assurance that those technologies meet government security requirements.

State and local organizations can also incorporate Common Criteria into so ware procurements, which saves time by providing a high degree of trust in a product’s cybersecurity. Wells added that Common Criteria policies are developed through open source initiatives lead by the National Security Agency (NSA). Agencies can share their experiences with one another, refining cybersecurity standards for the broadest, strongest protections.

“The Common Criteria process validates technology, such as ensuring secure multi-tenancy of virtualization and container platforms, but also considers how the vendor develops that technology,” Wells said. “Auditors are sent to vendor facilities to ensure both secure so ware development practices and the physical security of where the so ware is developed. In 2016, Red Hat became the first provider of a Common Criteria Certified Linux container framework. State and local agencies can now bring innovations to production faster by building on this trusted foundation.”

Agencies can also use the NCP, which curates secure configuration guides for hardening commercial technologies to government standards. The NCP is a “publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products,” according to NIST.

NCP checklists help protect government agencies by listing instructions and procedures for configuring IT products to specific operational environments. Many include tailored guidance for state and local governments, such as specialized baselines for criminal justice systems. They also identify unauthorized changes to a product and whether it’s properly configured.

“Common Criteria validates commercial products’ security features, and the NCP complements this process by ensuring agencies have configuration guides that ensure technologies can be deployed securely,” Wells said. “Agencies know instantly if software vendors meet their security control standards, saving them valuable time historically spent attempting to harden procured technologies.”

All government agencies must perform efficiently without overspending or sacrificing cybersecurity. Red Hat helps with secure, stable open source so ware capable of being deployed in data-sensitive environments while driving mission successes.

Cybersecurity must be baked into everything an agency does. Best practices and standards boost consistency across federal, state and local agencies to ensure that data is protected and that organizations can still innovate and modernize their systems.

Leave a Comment

Leave a comment

Leave a Reply