Securing data is never easy. It often requires the infusion of outside expertise to put together an effective information security strategy. Data stored on government servers is especially valuable to both individual fraudsters and nation-state actors, and government agencies have been under pressure to enhance their infrastructure security capabilities and take additional measures to protect sensitive records.

A recent audit of the U.S. government’s Office of Personnel Management (OPM) suggested that many agencies, including the OPM, still have a long way to go. To get their security programs off the ground, government organizations must build trust with the private sector and tap companies in the security industry to guide their efforts.

Auditing National Infrastructure Security

The OPM audit found that while the agency had improved its overall data protection program, a moratorium implemented during fiscal year 2015 on all security assessment and authorization activities effectively weakened its security posture. The following year, the OPM authorized a sprint that was designed to bring all systems into compliance. The purpose of the most recent audit was to evaluate the status of that effort.

Two-thirds of the wide area network (WAN) and local area network (LAN) security controls the inspection team tested were found to be either not satisfied or only partially satisfied. The auditors opined that in this state, the likelihood of being able to identify vulnerabilities is significantly reduced.

Even more critical is the absence of a standard LAN/WAN system security plan (SSP). In the auditor’s view, the SSP completeness is foundational. Without it, security teams lack inventory controls and knowledge of what is present within the network.

An Executive Order

Along with the audit, the White House issued its “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which gave each agency and department head 90 days to produce a risk management report to the secretary of the Department of Homeland Security (DHS) and the director of the Office of Management and Budget (OMB). The report must document “the risk mitigation and acceptance choices made by each agency head,” including strategic, operational and budgetary considerations as well as unmitigated vulnerabilities.

These agencies and departments are expected to use the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” To that end, the NIST issued an implementation guide to help organizations comply with the executive order.

The Private Sector’s Perspective

As government agencies such as the OPM grapple with infrastructure security issues, cybersecurity experts have called for government organizations to think about these challenges from the private sector’s point of view. According to FCW, government agencies should focus on building trust with the security industry and, in turn, rely on the industry to evolve cybersecurity stratagems.

Additionally, the advisory board to the NIST challenged the House of Representatives’ Science, Space and Technology Committee’s approved legislation, which tasked the NIST with conducting cybersecurity audits of government agencies and departments. While the organization has always been associated with the creation of standards and guidance, the advisory board opined that the responsibility shift would “complicate its current mission as a neutral adviser.”

Meanwhile, the Information Security Oversight Office (ISOO)’s “2016 Report to the President” revealed that the cost to maintain classification management systems in 2016 was approximately $16.89 billion. The report also found that most government organizations had “established uniform procedures to ensure that automated information systems, including networks and telecommunications systems that store classified information, prevent access by unauthorized persons, ensure the integrity of the information and, to the maximum extent practicable, use common information technology standards and protocols.”

Waiting For an Invitation

U.S. government organizations certainly have their work cut out for them. The president’s executive order should make a significant dent in the initiative to bolster security across all agencies, but the government can’t do it alone. Private entities are ready and able to guide the government’s efforts to establish a plan to secure the nation’s infrastructure, but they appear to be waiting for an invitation.

More from Government

NIST’s security transformation: How to keep up

4 min read - One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards. Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy. Coping with the speed of change A constantly evolving tech…

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today