Federal guidelines worth following to strengthen cybersecurity
May 14, 2015
Nearly 15 months ago, the National Institute of Standards and Technology released the Cybersecurity Framework. The framework was a collaboration between the federal government and industries to establish guidelines, standards and practices to ensure the protection of critical infrastructure. The collaboration was to help find a cost-effective, yet strong, cybersecurity solution for government agencies.
The Department of Justice’s cybersecurity unit also released a new guidance for organizations to follow in order to protect sensitive data. Along with NIST’s framework, local and state governments can create and follow the best security procedures. The Framework contains three distinct areas, each with a distinct role. The Framework Core is a set of cybersecurity activities, outcomes and references. Next is the Framework Profile, which helps a government ensure cybersecurity activities coordinate with risk tolerances, resources and business requirements. Finally, the Framework Implementation Tiers let a government understand the approach to managing cybersecurity.
The executive summary of the Framework also advises governments “to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities.”
In the time since the framework was created, The National Law Review said local and state governments have openly engaged and embraced it, as have a handful of federal agencies.
Four federal agencies highlighted
The U.S. Departments of Treasury, Commerce and Energy, as well as the Federal Communications Committee, have taken the necessary steps to protect themselves by adhering to the framework. It was interesting to see the response of the DOE, especially in the wake of a July 2013 data breach. In that attack, the personal information of 104,000 people was made available for download. According to Ars Technica, the breach occurred because the DOE was relying on a decade-old patchwork of systems. Some important security updates had not even been installed, making the DOE an easy target. An investigation found none of the database tables were encrypted, and the framework seeks to fix that.
State governments also implementing Framework
To help more states adopt NIST’s framework, the National Governor’s Association released a guide and some of the leading states have been Pennsylvania, Mississippi, New York and Virginia. Pennsylvania, for instance, implemented the NIST’s framework into its enterprise governance and risk compliance situation, according to The National Law Review.
Governments should also follow DOJ
Also in early May, the DOJ released some steps for state and local governments to follow to increase cybersecurity initiatives. Some of the steps are:
- Identification and early action: The DOJ recommends the prioritization of critical resources, especially for smaller government agencies. This helps create a strong disaster recovery plan that also creates a guideline of what to do in a critical situation. A state or local government should take steps to ensure employees know how to proceed in an emergency if important personnel are not available.
- Utilize technology beforehand: Smaller governments need to proactively contact federal IT services before an intrusion occurs, the DOJ recommends. Specialists will examine what the government will need and tailor the equipment to the size of the organization.
- Inform legal counsel and law enforcement: With the increasing number of cyberattacks, it is important for agencies to turn to lawyers well-versed in what the DOJ calls “cyber-savvy.” Governments will be able to quickly get legal advice on how to proceed in the event of a cybersecurity attack. State and local governments are also recommended to build relationships with local law enforcement, as well as the FBI and Secret Service. Organizations with more dedicated cybersecurity teams and resources can be of great help after an attack.
State and local governments need to be extra vigilant when it comes cybersecurity because many smaller governments lack the necessary funds. According to a Deloitte-NAISCO study, 75.5 percent of state chief information officers cited an insufficient budget as a barrier to guarding against an attack.
However, organizations can address any shortfalls by following guidelines from NIST and the DOJ, as well as working with federal IT services to ensure strong cybersecurity.