MeriTalk | May 06, 2022
Ninety-one percent of Federal cybersecurity decision-makers say the 2021 Executive Order (EO) on Improving the Nation’s Cybersecurity has made U.S. data and critical infrastructure safer, but just 28 percent say significantly safer, according to Impact Assessment: Cyber EO Year One, a new study from MeriTalk, a public-private partnership focused on improving the outcomes of government information technology (IT).
The report explores perspectives on progress against Cyber EO goals, identifies what successful agencies do differently, and finds the fault lines where agency cyber leaders say they need more help to succeed. Most Federal cyber decision-makers (78 percent) agree the steps outlined in the Cyber EO are necessary to protect our nation. Implementing software supply chain security and migrating to a zero-trust architecture are the two most important factors for national cybersecurity, the research highlights.
And, while just 15 percent have seen tangible improvements because of EO efforts to date, a significant portion expects to see an impact within the next year.
Federal cyber leaders confirm initial progress in areas including vulnerability detection, software supply chain security, vulnerability response, and investigative and remediation capabilities. Just over half confirm IT management and staff are placing increased priority on cybersecurity, and just over half are collecting more cyber data than in the past. But, across the board, progress against EO goals is still in the early stages. Fewer than half rate their agencies’ progress against key EO goals as “excellent.” For example, 36 percent rate progress toward creating a formal strategy as excellent; 34 percent rate progress toward investing in endpoint detection and response (EDR) as excellent; and, 33 percent rate progress migrating to secure cloud solutions, as excellent.
When asked about the importance of zero trust, 82 percent agree that allocating staff and budget resources to zero trust is vital to national security and almost all, 96 percent, agree the Federal zero trust strategy is somewhat or very helpful. Despite the high priority, just 30 percent of Federal cyber decision-makers rate their zero trust progress as “excellent” and many, 67 percent, say the EO’s three-year window for implementing a zero trust architecture is not realistic.
Zero Trust is the gold standard for cybersecurity, so we're encouraged to see the EO is prioritizing that approach. In addition, cloud-native endpoint detection and response capabilities can significantly strengthen the cybersecurity posture for the federal government, especially when integrated with other security capabilities including identity security, threat intelligence, and managed threat hunting. These concepts have become cybersecurity best practices for the private sector’s most technologically advanced businesses, and we encourage the public sector to continue to embrace these technologies and strategies.”
Drew Bagley, vice president and counsel for Privacy and Cyber Policy, CrowdStrike
“Getting to zero trust is not easy. The detail provided in the multi-step guidance from OMB provides a path, but there is no single box you can buy to meet the varied needs of the five zero trust pillars,” says Stephen Kovac, Chief Compliance Officer and Head of Global Government Affairs, Zscaler. “You need multiple solutions from varying vendors that work together with seamless integration to achieve true zero trust – it is a team sport. OMB has done a good job in helping to define those rules, with rule one being to keep users off the network. If they can’t reach you, they can’t breach you.”
Funding is another roadblock. Just 14 percent report they have all funding needed to meet Cyber EO requirements. One-third say they have half, or less than half, of the funding needed.
“The sea change is the focus on comprehensive cyber resiliency,” says Nicole Burdette, principal, MeriTalk. “The EO provided direction, and Federal cyber leaders are now doing the hard work. But progress requires sustained funding and resource commitment. The research shows the gaps.”
“The U.S. federal government is taking important steps to improve the nation’s cybersecurity posture,” said Dave Levy, Vice President of U.S. Government, Nonprofit, and Healthcare at Amazon Web Services (AWS). “In the Cyber EO, the White House directs federal agencies to adopt security best practices, implement zero trust architectures, and accelerate migration to secure cloud services. Organizations of all sizes should consider similar principles and practices to enhance their cybersecurity and protect employees and sensitive data against cyberattack.”
What are the leaders doing differently? Cyber EO champions (leaders who give their agency’s EO progress an A) are predictably more likely than their peers to say they have all the funding they need. They are also more likely to have their chief information officer (CIO) leading their zero-trust implementation (67 percent to 28 percent).
When asked for perspectives on what’s needed to achieve cyber progress, the research identified the Federal wish list:
Workforce training and expertise
Stronger executive buy-in
Detailed direction from agency IT leadership
Centers of Excellence (COEs) in the government to lend expertise
Three-fourths of Federal cyber decision-makers also say the EO should have been more authoritative with private-sector directives.
The Impact Assessment: Cyber EO Year One report is based on an online survey of more than 150 Federal cybersecurity decision-makers familiar with their agencies’ cybersecurity initiatives, including zero trust strategies, in March 2022 and is underwritten by Amazon Web Services (AWS), CrowdStrike, and Zscaler. The report has a margin of error of ±7.7 percent at a 95 percent confidence level.
The voice of tomorrow’s government today, MeriTalk is a public-private partnership focused on improving the outcomes of government IT. Our award-winning editorial team and world-class events and research staff produces unmatched news, analysis, and insight. The goal: a more efficient, responsive, and citizen-centric government. MeriTalk connects with an audience of 160,000 Federal community contacts.
Ardalyst | March 02, 2022
Following a series of high-profile cyber breaches, the Biden administration issued an Executive Order (EO) in May 2021 to strengthen cybersecurity across the federal government. In February 2022, the Office of Management and Budget (OMB) released the "Moving the U.S. Government Toward Zero Trust Security Principles" memo. It lays out strategic goals to move the federal government to a Zero Trust Architecture and requires agencies to develop a plan to implement zero trust architecture with each agency being required to designate a Zero Trust lead.
Ardalyst is proud to announce a concerted effort – relying on collaboration with partners at Mandiant and Microsoft – to deliver an All-Threat™ Strategy approach to Zero Trust Architectures as a means of assisting government agencies and federal contractors in achieving cyber resiliency.
This effort will establish a Zero Trust-based security system, recognizing that security systems themselves can be breached.
The EO makes clear that Zero Trust tenets will be built into any software the federal government acquires or that its contractors use. The EO mandates a review of the Federal Acquisition Regulation (FAR) to accomplish that. Changes to FAR and likewise, DFARS, mean that to continue to do business with the DoD, defense contractors will need to incorporate Zero Trust Architecture into their communication and collaboration platforms.
Agencies are now required to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. It applies across the five pillars – Identity, Devices, Network, Applications and Data.
The Ardalyst All-Threat™ Zero-Trust Architecture is an intelligence-led approach to protecting your organization against all tiers of cyber threats in an assumed hostile environment.
The All-Threat offering is a wholistic approach that integrates inferred system-integrity checks and balances between Microsoft's Zero Trust Architecture, Endpoint Security and Mandiant's Threat Intelligence to create a layered security environment that is resilient against different tiers of adversarial threats.
Ardalyst is based in Annapolis, Md. By partnering with our customers to truly understand their unique environment and cybersecurity posture, Ardalyst leverages decades of experience and expertise in cyber operations and resiliency engineering to deliver a comprehensive cybersecurity program that is cost-effective, aligned to your mission and guaranteed to meet your compliance requirements. We replace uncertainty with understanding.
VMD Corp | May 10, 2022
VMD Corp, a leading provider of cybersecurity, agile engineering, and critical infrastructure protection to the U.S. Federal Government, announced that it has promoted former Executive Vice President of Business Development Gregg Leone to the newly created role of Chief Growth Officer, effective immediately.
Since joining VMD five years ago, Gregg has been instrumental in our growth helping us go from a small to a mid-sized contractor while also deepening our customer and partner relationships and helping us to attract top talent. We are glad to have created this new role for Gregg and are looking forward to his continued leadership and effectiveness."
Deepti Malhotra,VMD Chief Executive Officer
Leone has more than 20 years of government IT contracting experience with particular expertise in leadership, strategy, and portfolio management. For the past five years as the Executive Vice President of Business Development, Gregg has been responsible for VMD's corporate development and strategy, major capture strategy and activities, and corporate marketing and communications efforts.
In his new role, he will continue to be responsible for business development, marketing and sales, as well as strategic planning, solution development, strategic partnerships, proposals and more. Gregg will also be responsible for ensuring and managing VMD's growth through metrics like revenue, social ROIs, and employee engagement. He will report directly to Ms. Malhotra.
"I am incredibly excited to be taking on this new role and honored by the trust and recognition placed in me by the entire VMD leadership team," Leone said. "Together, we have accomplished a lot at VMD and as our business continues to transform, I look forward to doing even more together to grow the business, the portfolio and our relationships with existing customers."
Prior to joining VMD, Gregg was a Vice President at CACI International where he led the Federal and Civilian Information Technology business with over $800 million in new growth at the Department of Homeland Security, the Department of Justice, the Department of State, and other mission customers. He has a Bachelor of Science (B.S.) degree in Integrated Science and Technology from James Madison University.
XOR Security | May 25, 2022
XOR Security LLC (XOR) recently announced that it won a $31.4 million single-award task order to provide Cybersecurity Operations Support Services to the United States Patent and Trademark Office (USPTO) within the Department of Commerce. The USPTO Office of the Chief Information Officer [OCIO] delivers information and technology to enable innovation, and these services are critical to USPTO's ability to achieve its mission, goals, and objectives, and its Cybersecurity Division (CD) is responsible for all aspects of USPTO Information Technology Security. These include leading and operating a state-of- the art security operations center, which manages responses to a wide range of security and system performance indicators on USPTO's information systems, network infrastructure, and software systems.
Under this task order awarded by USPTO under General Services Administration (GSA) Highly Adaptive Cybersecurity Service (HACS) as a full and open opportunity, XOR will provide services typically associated with cybersecurity operations programs, and will help USPTO to ensure program alignment with Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Executive Order (EO) 13800. Award of this task order does not constitute an endorsement by USPTO of XOR.
XOR is committed to supporting our federal government agencies who face evolving cyber threats from a dynamic set of actors. We have over a decade of experience developing and supporting cyber operations and engineering platforms which enables us to deliver the most advanced technology and cybersecurity solutions for our customers."
Razwan Raja, XOR Founder and Principal
Wasif Shakeel, XOR Partner for Cyber Operations, added, "XOR is very excited to kick this project off. I want to thank USPTO for placing their trust in us and give special thanks to our entire team for their hard work leading up to this contract award."
About XOR Security
XOR Security is a small business leader delivering Security Operations, Security Engineering, Cyber Analytics, Cyber Intelligence, and Cyber Offense services across a portfolio of approximately 30 federal and commercial cybersecurity programs, including six Security Operations Centers which we currently lead as Prime contractor. Our highly technical cyber operations and engineering professionals are on the front lines of the cyber battlefield, helping to protect our nation's critical infrastructure. The greatest risk is the one that goes unseen. At XOR Security, we shed light on the shadows.