惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园 - 三生石上(FineUI控件)
S
Securelist
U
Unit 42
The Cloudflare Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
T
Tenable Blog
The Hacker News
The Hacker News
The Register - Security
The Register - Security
IT之家
IT之家
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
博客园_首页
T
Tailwind CSS Blog
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
A
Arctic Wolf
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
V
Visual Studio Blog
月光博客
月光博客
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

MeriTalk

Eliminating Silos in IT/OT Cybersecurity Is a Funding Challenge, Not a Technical One The FedRAMP High Supply Crisis Is a Federal Security Problem – Not a Procurement Footnote How More Tightly Focused Software Development Initiatives Will Unlock Innovation Across Government Transforming Federal Cybersecurity Through Private Sector Innovation Evolving Zero Trust and Embedded AI – Federal Government Cybersecurity Predictions for 2026 Unlocking AI’s Potential in High-Assurance Environments Accelerate Agentic AI in the Federal Government: Top Takeaways Why Congress Must Reauthorize the Technology Modernization Fund Make Cybersecurity a Key Ingredient of Modernization How Spectro Cloud’s PaletteAI Secure helps agencies scale AI securely, compliantly, and confidently Fix the Foundation: How Hybrid Cloud and Trusted Data Enable Government AI New Google Workspace Cost-Saving Offer Available for U.S. Federal Government Reinventing FedRAMP in the Age of AI Balancing Security and Efficiency: The Federal IT Dilemma in the AI Era Meeting Evolving State and Local Cyber Threats AI Is the Solution to Stop AI Data Theft Enhancing U.S. Government Operations with AI and Human-Centered Design How FinOps Can Help Agencies Slash Cloud Costs in 5 Steps Will Quantum Computing Weaken or Strengthen Cybersecurity of Federal Systems? Improving Citizen and Federal Employee Experience with Virtual AI Assistants Strategies for Securing the Federal Supply Chain Reframing the U.S. Government’s Approach to Cybersecurity Oversight Three Steps Agencies Can Take to Meet Government’s AI Requirements The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem Generative AI is Revolutionizing Federal Government Operations NIST’s new PQC Algorithms and What They Mean for Federal Agencies Addressing the U.S. Quantum Labor Shortage Before It’s Too Late How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity Addressing the Talent Shortage: How Digital Government Improves Satisfaction, Retention Here’s What We Can Learn (and Do) About Cybercrime from FBI’s Latest Internet Crime Report Implementing AI Assurance Safeguards Before OMB’s December Deadline The Next AI Wave: Quantum AI CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed? Customer Expectations Require Agencies to Raise the Bar on Customer Experience, Report Shows Applying for Government Benefits Shouldn’t Be Difficult When It Comes to Identity Verification Four Federal Software Supply Chain Security Trends to Watch FedRAMP Baseline Transition Points to OSCAL-Native Tools What Zero Trust Means for Modern Government: Best Practices for Key Tenets Four Ways to Handle the IT Funding Crunch Agencies Need to Get Creative to Fill the Cyber Workforce Gap Customer Identity trends report shows control trumps convenience Federal Agencies Making Strides Toward Sustainability and Climate Action Executive Order 14028 | Improving the Nation’s Cybersecurity Depends on Data | All Data is Security Data Applying Geospatial Intelligence, AI/ML to Climate Change Challenge My Cup of IT: Angry at Arthritis, Hunting for Cures How the Federal Government Can Help Combat a Fragmented Internet Getting in on the Ground Floor of the ‘New Observability’ Comply-to-Connect is Key to Zero Trust for DoD How Will Upcoming Cryptocurrency Regulations Affect Industry? My Cup of IT: Cup Cake for Kushner? Launching a New Era of Government Cloud Security Managing IT Complexity in Federal Agencies Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection Five Essential Metrics for Measuring Federal Government CX Unlocking the Benefits of 5G and Beyond The Federal Factory of the Future: How AI is Transforming Manufacturing The Quantum Impact on Cyber How Next-Gen Computers Will Transform What’s Possible for Federal Government Agencies Must Take an Authentic Approach to Synthetic Data Biometrics and Privacy: Finding the Perfect Middle Ground Two-Way Street: Why Officials and Constituents Are Equally Responsible for Securing the Midterms The “Programmable World” Will Bring the Best of the Virtual World Into the Physical One Cyberattacks are a Common Occurrence and the Costs are Higher Than Ever Increasing Equity Through Data and Customer Experience The AI Edge: Why Edge Computing and AI Strategies Must Be Complementary How Metaverses and Web3 can Reshape Government Four Emerging Technology Trends set to Impact Government Most 5G Enables AI at the Edge Plugging Cyber Holes in Federal Acquisition Resilient Critical Infrastructure Starts with Zero Trust The Evolution of Government Tech Procurement Under CMMC 2.0 Zero Trust Requires Continuous, Tested Security for Federal Agencies How Multi-INT Fusion Accelerates Mission Intelligence for Real-Time Decision Advantage Three Things to Consider for Responsible AI in Government Legislation, White House Orders Show Agencies Opportunity for Hybrid Cloud Creating an Effective Framework for DoD’s Software Factories Realizing Upsides for Digital Security in the Hybrid Workplace A Future With AI and ML: The Power of Workforce Education Five Tips to Begin MFA Integration and Embrace Zero Trust The Vital Intersection Between Equity and Digital Transformation Equity as a Platform: Applying a New Mindset to Scale Innovation Harnessing the Right Data for Evidence-Based Equity From EO to Action: Human Factors of Enabling a Cyber Safety Review Board For Equity in Government Services, It’s Time to Change the Paradigm Critical Questions to Ask When Considering Explainable AI (XAI) for Your Federal Agency The Telework Model for Government: COVID Lessons for Building an Effective Workforce DevSecOps: 4 Steps for Mitigating the Next Cyber Attack in Your Federal IT Environment Better Cyber Hygiene Helps, but Federal Security Needs SASE Lift DoD, Feds Plot Top Cyber, Cloud Priorities for 2022 Cloud-Native Government: How to Transform With Intention DoD and VA Health Networks Face Growing Threat From Medical-Device Vulnerabilities New Federal Cybersecurity Requirements: How Agencies Should Implement a Zero Trust Architecture Protecting Our Nation Through Big Data Analytics Three Ways COVID-19 Altered Federal, State IT Budget Allocations Ransomware is More Than a Cybersecurity Issue From Me to We: Take the Mission Further With Multiparty Systems Anywhere, Everywhere: Integrating Your Virtual Workplace ‘I, Technologist’: Empowering Innovators in the Federal Workforce Mirrored World: Digital Twins Report for Duty Across Government Stack Strategically: Rearchitecting Government for What’s Next
Accelerating Cybersecurity for US Critical Infrastructure
MeriTalk Sta · 2023-03-29 · via MeriTalk

By Gaurav Pal, Principal and Founder, stackArmor, Inc.

Disruptions in gasoline supplies due to the cyberattack on the Colonial Pipeline in May 2021 transformed cybersecurity attacks from an “online problem” to a national security concern. This seminal event resulted in the release of the National Cybersecurity Strategy (NCS) on March 2, 2023. The NCS brought into focus the potential for serious economic damage and disruptions to our daily lives from cyberattacks on critical infrastructure. Congress and government agencies are acting with urgency to advise organizations in critical infrastructure sectors such as aviation, water and sewage utilities, education, and healthcare to rapidly address cybersecurity concerns. For this strategy to be successful, however, there is no reason to reinvent the wheel. Our path forward should be informed by lessons learned from successful cybersecurity and risk management programs that have proven track records.

Moving from Voluntary Approaches to Mandatory Requirements

There has been much progress over the last ten years in bringing cybersecurity issues to the forefront of organizations, lawmakers, and government executives. However, the speed of change and investments necessary to deliver “cyber resilience” have not kept pace with the velocity, volume, and variety of continued cyberattacks. We continue to read daily about ransomware attacks and cybersecurity incidents in schools, local governments, and healthcare facilities causing disruptions and hardship. The NCS recognizes that voluntary approaches are not working fast enough and seeks to change the status quo by driving policy changes. One of these changes includes transferring liability for cybersecurity from the user to the technology manufacturers of digital products and services. It also seeks to enforce minimum cybersecurity requirements from voluntary adoption to mandating their implementation under the supervision of government agencies. The goal is to accelerate cybersecurity investments to drive cyber resilience. These policy changes are especially important for the critical infrastructure sectors that include essential services that we all depend on.

Securing Critical Infrastructure is a Big Deal

Protecting our critical infrastructure will require the best and brightest minds to come together  because the problem is large and complex. A quick back of the envelope calculation reveals a $20+ billion market opportunity in the United States alone. According to Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors whose assets, systems, and networks are considered vital to the United States. Just to get a sense of the numbers, CISA provides the following data:

  • The defense industrial base consists of 100,000 firms that provide products and services to the Department of Defense. Assuming an average spend of $100,000 per year on cybersecurity solutions, that is a $10 billion market for Cybersecurity Maturity Model Certification (CMMC) 2.0.
  • On March 7, 2023 the Transportation Security Agency (TSA) issued guidance to the aviation sector on the need to improve their cybersecurity posture. There are around 19,700 organizations in the aviation sector alone – which includes aircraft, air traffic control systems, airports, heliports, and landing strips as well as ancillary service providers like aircraft repair stations, fueling facilities, navigation aids, and flight schools. Assuming these organizations on average spent $100,000 per year, then that sector equals a $2 billion opportunity.
  • On March 3, 2023 the Environmental Protection Agency (EPA) advised water and waste water utilities on the need to shore up their cybersecurity defenses. There are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. More than 75 percent of the U.S. population depends on these systems for their potable water and sanitary sewerage needs. Assuming these organizations on average spent $100,000 per year on cybersecurity, then that amounts to a $17 billion market.

Clearly, the 16 critical infrastructure sectors have a wide variety of cybersecurity needs and will require tailored solutions. Developing the right cybersecurity risk management model and mandating adoption are urgent priorities. To make rapid progress, we should consider leveraging cloud computing, the Federal Risk and Authorization Management Program (FedRAMP), and secure commercially developed innovations.

Steps to Accelerate Cybersecurity for Critical Infrastructure

  1. Mandate Adoption of Secure and Accredited Cloud Solutions

Cloud solutions that have been accredited for government and public sector use provide a secure foundational set of capabilities. These capabilities can rapidly improve the cybersecurity posture of critical infrastructure sectors. Given the wide variability in cybersecurity quality in non-regulated commercial solutions, FedRAMP or StateRAMP accredited solutions provide a ready-made marketplace of vetted capabilities critical to help protect critical infrastructure. A recent McKinsey survey on cybersecurity showed that highly regulated verticals are migrating to the cloud four times more quickly than non-regulated sectors. It is important to ensure that these regulated entities are using well-secured systems and platforms. Federal cybersecurity grants provided to state and local governments should emphasize the deployment and use of FedRAMP and StateRAMP accredited solutions where possible.

  1. Adapt and Clone Successful Cybersecurity Risk Management Programs like FedRAMP

FedRAMP was established in 2011 to help drive adoption of secure commercial cloud services for government and public sector use. Since then the program has successfully accredited nearly 300 commercial cloud services and 4,600 instances of reuse by various agencies, helping to save millions of dollars in compliance costs. The FedRAMP marketplace is heavily relied upon by state agencies, financial institutions, and even international agencies as a source for new and innovative solutions that meet the gold standard for cybersecurity. The success of the FedRAMP program has prompted the creation of other risk management programs like StateRAMP and TX-RAMP, among others. It is important for policy makers to learn from the lessons of FedRAMP by developing a data-driven case study. The case study should document cost avoidance from duplicative cybersecurity spending as well as cost avoidance from potential data breaches that might have otherwise happened.

  1. Develop a Scalable and Effective Cyber Risk and Authorization Management Program

In accelerating the cyber resilience of the critical infrastructure sectors, it is important to adopt approaches that have worked successfully in the past. The FedRAMP Program has enabled the streamlined adoption of commercial digital solutions by public sector organizations. Each Sector Risk Management Agency (SRMA) with oversight of critical infrastructure sectors should consider adapting and tailoring the FedRAMP program architecture based on their unique mission requirements. However, the foundational underlying pillars for FedRAMP’s success include formal authorization requirements and rigorous continuous monitoring processes. Incorporating these two pillars in a cybersecurity risk management program is essential if we want to move from a voluntary approach to a mandated posture. The infographic below provides an overview of how such a model might work.

Critical Infrastructure graphic reproduced from the CISA.gov website.
  1. Incentivize Investment in New and Innovative Cybersecurity Solutions

Currently there is a lot of focus on large firms to solve the cybersecurity issues in critical infrastructure. This approach might not yield optimal outcomes. McKinsey’s recent cybersecurity survey indicates a cybersecurity solutions pricing mismatch in the Small to Medium Businesses (SMB) segment resulting in lack of adoption of cybersecurity solutions. Encouraging the development of new and innovative solutions by small businesses and start-ups can help address this market gap. For example, small businesses and start-ups could be offered Small  Business Innovation Research (SBIR) grants to implement strong security measures and seek FedRAMP authorizations. The SRMAs can be encouraged to sponsor innovative solutions for FedRAMP ATOs thereby unblocking a critical chokepoint in the FedRAMP accreditation marketplace today.

  1. Harmonize Cybersecurity Requirements and Standards

Currently there is a wide variety of cybersecurity frameworks and standards especially in the critical infrastructure sectors. Over the past few years, the NIST Cybersecurity Framework (NIST CSF) has emerged as a “consensus” standard, with increasing adoption. SRMAs should continue to provide easy-to-use implementation guides that encourage the implementation of security best practices detailed in NIST SP 800-53 that underpins NIST CSF. Additionally, SRMAs should be encouraged to use and recommend the adoption of Open Security Controls Assessment Language (OSCAL) to streamline continuous monitoring reporting. NIST and CISA should consider expanding the use of OSCAL for cybersecurity incident reporting. Using machine-readable cyber-incident documents will make it easier to process, analyze, and respond to incidents through automation and enable rapid post-incident analytics.

What the Experts are Saying

“With the recent enactment of the FedRAMP authorization Act, the federal government has an opportunity to better leverage cybersecurity risk management frameworks that highlight the importance of utilizing commercial cloud technologies. Furthermore, as the FedRAMP program expands to serve more of the federal cloud marketplace, it and associated programs like StateRAMP provide decisionmakers with a faster path to authorization, and it is paramount we learn to effectively leverage what’s provided by these pre-approved secure solutions for critical infrastructure protection.”

— Mike Hettinger, Founding Principal, Hettinger Strategy Group

“The release of the National Cybersecurity Strategy roughly three weeks ago has been widely hailed as an important step towards incorporating stronger defenses into U.S. digital networks.  But our Federal landscape is replete with strategies, legislation, White House directives, and so on that have had little impact because there has not been the proper follow-up.  As we await the promised implementation plan for the strategy, this short paper provides some interesting thoughts about how to move forward with a strong and proven metrics-based approach.”

— Alan P. Balutis, Managing Partner, The CIO Collective