Continuing the push to secure the federal government networks, IT resources and data, the president has signed a new executive order that may give federal agencies an increased ability to make things happen.
The constant ring throughout the executive order is “Agency heads will be held accountable….” These words should push agency leadership to pay more attention to bottom line results rather than ensuring that cybersecurity boxes are checked for DHS reports. The days of following some guidance to make reports turn from red to green are gone and actual results now matter.
As always, directives without implementation budget are fairly useless. In this case, the agency heads are being given the opportunity to examine and report on vulnerabilities AND offered the opportunity to identify where funds will be necessary to remediate these vulnerabilities.
Agency personnel should be empowered to deploy technology solutions that best suit their unique mission. This order gives agencies the flexibility to use alternatives to DHS CDM-named vendor tools as needed to mitigate ongoing cybersecurity risk while adhering to high level DHS mandates to improve cybersecurity footing and reporting.
The executive order points directly to our old friend, the NIST Framework. “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk.”
Using the NIST Framework has been the standard for a few years and agencies were already looking that direction when developing cybersecurity methods and systems to protect their data. This is a consistent approach but this order gives the actual direction to use “The Framework”.
NIST Framework for Improving Critical Infrastructure Cybersecurity
The Framework Core consists of
- Identify
- Protect
- Detect
- Respond
- Recover
Not so much a set of guidelines (or checkboxes) but more of a ‘what’ to identify and manage risk. Of course, risks must be mitigated wherever possible but accepting risk in balance with completing the mission is reality. One Identity is a key component in identifying and mitigating many types of identity-related risks.
Ensuring users and administrators have the right access at the right time is a key component to mitigate risks to your critical data. When data breaches occur there’s always some sort of identity breach that occurred in conjunction. At the core, this is a version of identity theft. In nearly every case of compromised data, the ‘bad actor’ used compromised credentials to access data.
Strong identity management practices and solutions can:
- Identify the critical accounts
- Show where those accounts have access
- Programmatically control access to data
- Provide a history of access changes
For more information on how One Identity helps you implement the core concepts of the NIST Framework, go to https://www.oneidentity.com/nistframework/.
#GetIAMRight
