The threat landscape is currently changing, and so are policies around cybersecurity. For this reason, state and local government agencies must remain cognizant of existing and emerging compliance requirements that affect how they protect information and technology assets.
Agency business and technology leaders must stay abreast of these requirements and ensure that they can operate in their own evolving technology environment in accordance with all relevant laws and regulations.
At the federal level, the president issued an executive order in May 2017 directing federal agencies to adopt a risk-based approach to cybersecurity and to immediately work to modernize cybersecurity controls. Federal agencies subject to this executive order should pay specific attention to the significant cybersecurity risks posed by systems with known vulnerabilities. DHS’ Trusted Internet Connections program seeks to provide a consistent level of security across agencies to ensure that all agencies have a secure, trusted path to the internet.
The TIC initiative seeks to consolidate internet connections to a manageable number and then provide security services across those trusted connections.
Recognizing the increasing shift toward cloud computing services, the federal government also now manages the Federal Risk and Authorization Management Program. FedRAMP provides a consistent process for the evaluation and approval of cloud computing vendors across federal agencies, relieving agencies of the burden of independently evaluating vendor security practices and providing a common level of vendor assurance across the federal government.
And the Federal Information Technology Acquisition Reform Act (FITARA) of 2015 implements new requirements for the appointment of federal agency CIOs and the centralization of procurement practices.
The State and Local Government Play in Federal Cyber Regulations
While many of these regulations come from the federal government, state and local technology officials should also pay heed. Agencies interacting with the federal government must be able to integrate with these new, more secure systems.
For example, the federal law enforcement community publishes the Criminal Justice Information Services (CJIS) Security Policy. This policy contains specific requirements for state and local law enforcement agencies seeking access to federal law enforcement systems. State and local agencies may also look to the federal government for advice on security best practices.
The National Institute of Standards and Technology publishes a Cybersecurity Framework (CSF) that provides comprehensive guidance on cybersecurity issues that can form the foundation of any cybersecurity program in the public or private sector.
This framework classifies cybersecurity activities into five major functions:
The CSF then provides policies, standards and best practices for organizations to follow as they implement and manage each of those five cybersecurity functions.
Agencies that choose to adopt a well-defined framework such as CSF will increase their ability to future-proof their infrastructure against new and evolving cybersecurity requirements. By adopting a best-practices approach to cybersecurity, agencies will have a strong foundation in place when new requirements arise.
To learn more, download our white paper, "Managing Cyber Risks in a Public Sector Environment."