MeriTalk | May 06, 2022
Ninety-one percent of Federal cybersecurity decision-makers say the 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity has made U.S. data and critical infrastructure safer, but just 28 percent say significantly safer, according to Impact Assessment: Cyber EO Year One, a new study from MeriTalk, a public-private partnership focused on improving the outcomes of government information technology (IT).
The report explores perspectives on progress against Cyber EO goals, identifies what successful agencies do differently, and finds the fault lines where agency cyber leaders say they need more help to succeed. Most Federal cyber decision-makers (78 percent) agree the steps outlined in the Cyber EO are necessary to protect our nation. Implementing software supply chain security and migrating to a zero-trust architecture are the two most important factors for national cybersecurity, the research highlights.
And, while just 15 percent have seen tangible improvements because of EO efforts to date, a significant portion expects to see an impact within the next year.
Federal cyber leaders confirm initial progress in areas including vulnerability detection, software supply chain security, vulnerability response, and investigative and remediation capabilities. Just over half confirm IT management and staff are placing increased priority on cybersecurity, and just over half are collecting more cyber data than in the past. But, across the board, progress against EO goals is still in the early stages. Fewer than half rate their agencies’ progress against key EO goals as “excellent.” For example, 36 percent rate progress toward creating a formal strategy as excellent; 34 percent rate progress toward investing in endpoint detection and response (EDR) as excellent; and, 33 percent rate progress migrating to secure cloud solutions, as excellent.
When asked about the importance of zero trust, 82 percent agree that allocating staff and budget resources to zero trust is vital to national security and almost all, 96 percent, agree the Federal zero trust strategy is somewhat or very helpful. Despite the high priority, just 30 percent of Federal cyber decision-makers rate their zero trust progress as “excellent” and many, 67 percent, say the EO’s three-year window for implementing a zero trust architecture is not realistic.
Zero Trust is the gold standard for cybersecurity, so we're encouraged to see the EO is prioritizing that approach. In addition, cloud-native endpoint detection and response capabilities can significantly strengthen the cybersecurity posture for the federal government, especially when integrated with other security capabilities including identity security, threat intelligence, and managed threat hunting. These concepts have become cybersecurity best practices for the private sector’s most technologically advanced businesses, and we encourage the public sector to continue to embrace these technologies and strategies.”
Drew Bagley, vice president and counsel for Privacy and Cyber Policy, CrowdStrike
“Getting to zero trust is not easy. The detail provided in the multi-step guidance from OMB provides a path, but there is no single box you can buy to meet the varied needs of the five zero trust pillars,” says Stephen Kovac, Chief Compliance Officer and Head of Global Government Affairs, Zscaler. “You need multiple solutions from varying vendors that work together with seamless integration to achieve true zero trust – it is a team sport. OMB has done a good job in helping to define those rules, with rule one being to keep users off the network. If they can’t reach you, they can’t breach you.”
Funding is another roadblock. Just 14 percent report they have all funding needed to meet Cyber EO requirements. One-third say they have half, or less than half, of the funding needed.
“The sea change is the focus on comprehensive cyber resiliency,” says Nicole Burdette, principal, MeriTalk. “The EO provided direction, and Federal cyber leaders are now doing the hard work. But progress requires sustained funding and resource commitment. The research shows the gaps.”
“The U.S. federal government is taking important steps to improve the nation’s cybersecurity posture,” said Dave Levy, Vice President of U.S. Government, Nonprofit, and Healthcare at Amazon Web Services (AWS). “In the Cyber EO, the White House directs federal agencies to adopt security best practices, implement zero trust architectures, and accelerate migration to secure cloud services. Organizations of all sizes should consider similar principles and practices to enhance their cybersecurity and protect employees and sensitive data against cyberattack.”
What are the leaders doing differently? Cyber EO champions (leaders who give their agency’s EO progress an A) are predictably more likely than their peers to say they have all the funding they need. They are also more likely to have their chief information officer (CIO) leading their zero-trust implementation (67 percent to 28 percent).
When asked for perspectives on what’s needed to achieve cyber progress, the research identified the Federal wish list:
Workforce training and expertise
Stronger executive buy-in
Detailed direction from agency IT leadership
Centers of Excellence (COEs) in the government to lend expertise
Three-fourths of Federal cyber decision-makers also say the EO should have been more authoritative with private-sector directives.
The Impact Assessment: Cyber EO Year One report is based on an online survey of more than 150 Federal cybersecurity decision-makers familiar with their agencies’ cybersecurity initiatives, including zero trust strategies, in March 2022 and is underwritten by Amazon Web Services (AWS), CrowdStrike, and Zscaler. The report has a margin of error of ±7.7 percent at a 95 percent confidence level.
The voice of tomorrow’s government today, MeriTalk is a public-private partnership focused on improving the outcomes of government IT. Our award-winning editorial team and world-class events and research staff produces unmatched news, analysis, and insight. The goal: a more efficient, responsive, and citizen-centric government. MeriTalk connects with an audience of 160,000 Federal community contacts.
Ceres | January 17, 2022
In response to the federal government's request for comments on draft regulations that would revise the federal procurement process to factor in sustainability in government purchasing, Ceres submitted recommendations that would help reduce U.S. greenhouse gas emissions (GHG) while incentivizing zero-carbon innovation. The U.S. government is the world's largest purchaser of products and services, spending around $665 billion in 2020.
Last year, President Joe Biden called the climate crisis a challenge that would require a "whole-of-government approach, and followed up on this statement by issuing an Executive Order and sustainability plan in December 2021. It outlined targets for federal climate-focused procurements that would significantly reduce carbon emissions from large federal vendors.
In its recommendations, Ceres is calling on the government to:
Require major suppliers demonstrate a commitment to Paris climate targets, including annually disclosing GHG emissions and a science-based plan for reducing those emissions to net zero by 2050 or sooner.
Deliver substantial reductions in the government's own GHG emissions; achieve mass commercialization of products essential to meeting Paris climate targets; and address long-standing racial and social inequities resulting from climate.
Institute a new competitive bidding process focused on high-priority, zero-carbon products to reward and incentivize technological innovations and cost reductions in these products.
Utilize federal grants and loans to reduce GHG emissions through the procurement program, with a focus on large-scale grant funding authorized by the new bipartisan infrastructure law.
"If we want to avoid the worst impacts of the climate crisis, we need to produce substantial greenhouse gas emissions reductions by 2030. With our recommendations, the new sustainability-focused federal procurement program can help to make dramatic progress on climate change, fuel bold innovation, create new green jobs, and promote environmental justice," said Steven M. Rothstein, Managing Director of the Ceres Accelerator for Capital Sustainable Markets at Ceres. "We look forward to working with the administration, investors, companies and other stakeholders to improve the program and ensure quick and successful implementation."
Acalvio Technologies | April 21, 2022
Acalvio Technologies, the leader in cyber deception, announced that the FedRamp Ready ShadowPlex platform has been added to the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL).
ShadowPlex enables government organizations to execute the three key aspects of adversarial engagement with operational efficiency:
Detection: Rapidly detect adversary presence both on-premises and in cloud infrastructure
Disruption: Derail and delay attacks
Intelligence: Easily gather granular forensics of tactics, techniques, and procedures
ShadowPlex leverages novel AI capabilities for both ease of use, by making deception autonomous, and effectiveness, by blending and customizing deception for every subnet and endpoint. Because it doesn’t require agents on production systems, ShadowPlex is low-risk to deploy but also produces high fidelity alerts. The solution was named a finalist in the RSAC Innovation Sandbox.
The CISA Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.
US Federal Agencies are under increased cyber threats, including state-sponsored cyber-attacks. Advanced Deception Technology is best suited to defeat these attacks. National Security Agency (NSA) article (The Next Wave, 2021) shows that about 78 percent of the attackers are detected by deception technology within 20 minutes of breaching the network. CISA, in the 2022 – 2026 Strategic Technology Roadmap, has specifically recommended deploying deception technologies within the next two years by all Federal and critical infrastructure (CI) stakeholders for Network Security management.
Acalvio ShadowPlex provides a powerful new capability to detect and respond to advanced threats, even zero-day attacks. The addition of ShadowPlex to CDM APL makes it easier for Federal agencies to procure and deploy modern deception technology to combat sophisticated adversaries.”
Ram Varadarajan, co-founder and CEO of Acalvio Technologies
The inclusion in CDM APL adds to the FedRamp Ready status, SOC 2, and NIST 800-171 compliances achieved by Acalvio Technologies.
About Acalvio Technologies
Acalvio is the global leader in Active Defense solutions to combat cyberattacks. Its breakthrough Autonomous Deception technology is based on over 25 issued patents in Distributed Deception and advanced AI, to enable deployment of Active Defense that is effective, easy to use, and enterprise scale. Acalvio’s Autonomous Deception reduces attacker dwell time through early detection of advanced threats and increases Security Operations Center efficiency by utilizing sophisticated investigation and active threat-hunting capabilities. The Silicon Valley-based company’s solution serves Fortune 500 enterprises, U.S. government agencies, and marquee MSSPs.
ICF | February 23, 2022
ICF , a global consulting and digital services provider, was recently named the 2022 ServiceNow Americas U.S. Federal Partner of the Year for continued success in partnering with ServiceNow's federal team to rapidly deliver impactful digital solutions to the U.S. government.
"ICF is one of the most capable partners to deliver ServiceNow to federal agencies. The team always puts the customer first and consistently co-delivers mission-driven engagements to agencies. ICF's collaborative approach to sales and marketing, dedicated ServiceNow practice, platform accelerator library and expertise across all platform modules has contributed to high customer satisfaction scores for an impressive four years in a row."
Steve Walters, vice president of Federal at ServiceNow
In 2021, ICF completed over 250 deployments on the Now Platform®, with its scaled-delivery Digital Service Centers alone yielding over 150 apps to date designed to quickly improve clients' business outcomes. A ServiceNow Elite Partner, ICF has over 500 ServiceNow-certified technical consultants supporting the U.S. federal civilian and defense markets. ICF's over 50 ongoing ServiceNow-related projects include work for clients such as the U.S. Department of Commerce, the U.S. Department of State and the U.S. Department of Health and Human Services.
"We are combining the best of ICF's deep domain and technology consulting expertise with the ServiceNow Now Platform to deliver quick, secure and affordable low-code solutions to federal customers," said Mark Lee, executive vice president and public sector lead. "We are proud to be recognized once again for our successful partnership and look forward to exploring innovative ways to collaborate to address our clients' evolving mission and digital business needs."
This year's ServiceNow Partner awards were based on 2021 performance and evaluated attributes such as revenue contribution/growth, product line expansion, workflow and skill competencies growth, and business innovation with associated digital transformation impact. A leading low-code/no-code platform implementer in the federal space, ICF was named ServiceNow's #1 U.S. Federal Partner of the Year in 2019 and is a platinum-level sponsor for ServiceNow's Federal Forum 2022 in March.
ICF combines public sector domain expertise with an ecosystem of platform partners and digital practices to deliver responsive, scalable solutions that achieve clients' mission outcomes and a step change in productivity. The company's digital solutions help mission leaders solve critical problems, modernize systems, harness the power of data and analytics and optimize the customer experience to drive positive change from within.
ICF is a global consulting services company with approximately 8,000 full- and part-time employees, but we are not your typical consultants. At ICF, business analysts and policy specialists work together with digital strategists, data scientists and creatives. We combine unmatched industry expertise with cutting-edge engagement capabilities to help organizations solve their most complex challenges. Since 1969, public and private sector clients have worked with ICF to navigate change and shape the future. Learn more at icf.com.