Navigating fed cybersecurity: Strategies to achieve network compliance

As cyberattacks have intensified in volume and sophistication, the need for more prescriptive guidance is clear.

Initiatives like Executive Order 14028 and CISA’s Binding Operational Directive 23-1 have heightened scrutiny and accountability for security leaders tasked with ensuring network security and compliance. This guidance helps government entities and private sector organizations navigate the threat landscape and improve their security posture. However, diverse directives from the White House, the National Security Agency (NSA), the Department of Homeland Security (DHS), the Securities and Exchange Commission (SEC), and other government entities create confusion over which guidance to follow.

Pentagon zero-trust office aims to start data tagging, labeling in ′24 By Molly Weisner

As we navigate the various federal guidelines, it’s important to remember that you’re not alone in this struggle. Security professionals across the board are grappling with legacy tools, siloed security applications, the time-consuming nature of data collection and analysis, and the scarcity of skilled security personnel. These are all factors that complicate efforts to gain comprehensive network insights and prove compliance.

So, where to begin?

Focus efforts on greatest benefit

Vulnerability management is complex and overwhelming for most agencies, often competing with a slew of information from various vendor sources. I like focusing on the basics. The National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data, is one of the most important sources of truth worldwide and a good place to start.

Maintained by the National Institute of Standards and Technology and sponsored by DHS’s National Cybersecurity and Communications Integration Center, the NVD provides detailed analysis and scoring of Common Vulnerabilities and Exposures (CVEs) to help organizations prioritize their response to vulnerabilities. They also publish the Known Exploited Vulnerabilities Catalog which is a great supplement. In 2024 NIST has already issued nearly 35,000 alerts; agencies need to understand which CVEs are relevant to their network and their degree of exposure.

Private sector CISOs and federal agencies face the dilemma of complying with complex regulatory requirements within limited timeframes and budgets. Executive orders, for instance, are often issued without fiscal budget backing, forcing security leaders to assess their existing systems and contracts to determine if current infrastructure investments will support the new requirements and identify which legacy systems must be updated or removed from the network.

Additionally, security leaders must evaluate which contract terms may help or hinder the evolution of the network to meet new regulatory compliance standards.

The list of considerations goes on, but the point is that budgets are capped, and contracts can constrain the timing and degree of progress. It’s easy to get distracted by all the noise around new standards and guidelines but stay focused on the regulations that matter to your organization.

Adopt multifunctional technologies

While a private sector organization typically operates one network, the federal government operates multiple. Some examples include unclassified, secret, and top-secret networks, each with its own rules and network challenges. Users often have to contend with challenging military operating environments and low bandwidth connections. In addition, regardless of the challenges, each network must continue to comply with cybersecurity regulations.

The diverse nature of these environments means that security teams must possess expertise across multiple platforms. The scarcity of skilled security personnel exacerbates this challenge, as organizations struggle to find and retain professionals with the necessary knowledge and experience.

To expedite compliance efforts, utilize solutions that provide greater network visibility and are familiar to a broader community of security professionals. Also, adopt multifaceted, versatile technologies and rely less on bespoke solutions. This approach provides more flexibility and scalability to meet evolving guidelines. For example, consider the benefits of automated security and compliance tools. These tools can significantly reduce the time and effort required for data collection and analysis by automating routine tasks and providing centralized visibility into the network.

Additionally, agencies implementing a zero trust architecture require continuous verification of user and device identities. This approach minimizes the attack surface and enhances the overall security posture. By integrating zero trust principles with automated tools, organizations can achieve a more resilient and compliant security framework.

Efficient evidence collection

The shift toward hybrid and multi-cloud environments adds layers of complexity to cybersecurity and compliance efforts. These geographically dispersed systems make it difficult to gain a holistic view of the entire network. This forces security teams to manually aggregate and correlate data from various sources, which is time-consuming and prone to errors. It also hinders the ability to detect and respond to threats promptly, leaving networks vulnerable.

Evidence collection solves this challenge as it requires a comprehensive model of the entire network infrastructure. With end-to-end visibility of the network, even in multi-cloud environments, and capabilities for historical data analysis, path analysis, and compliance monitoring, organizations can more efficiently achieve and maintain a strong security posture and compliance, even with evolving standards.

Behavioral analysis and attack surface management are key components of an effective evidence collection strategy. These capabilities enable security professionals to proactively verify that network behavior aligns with intended configurations and identify anomalies. Additionally, security professionals can simulate the network environment and conduct detailed analysis without impacting live operations. In this controlled setting, security professionals can identify potential vulnerabilities and remediate issues faster.

Staff retention, collaboration

Evolving security guidelines are creating increased demand for cybersecurity professionals. However, the cybersecurity industry is concurrently grappling with a skills gap, where there are more job openings than qualified candidates available to fill them. To address this issue, organizations should prioritize investments in training and development programs. By enhancing the skills of existing staff and fostering a culture of continuous learning, organizations can cultivate a more adept and knowledgeable security team while retaining valuable talent.

Retaining security professionals is crucial for organizations to achieve compliance. These professionals develop deep expertise and knowledge of the organization’s systems and processes over time. This institutional knowledge is invaluable as experienced security staff can oversee the continuous implementation and management of security policies and practices necessary for ongoing compliance. Cross-functional software systems can improve collaboration by providing the entire organization access to accurate information about the hybrid multi-cloud environment.

Retaining staff also contributes to efficient audits and assessments. They are well-versed in the organization’s compliance history and processes, enabling them to prepare effectively for audits and respond promptly to assessment findings.

Additionally, collaboration plays a crucial role in navigating the complexities of achieving, maintaining, and proving compliance. Partnering with security professionals in other departments or across entities can break down silos and promote the sharing of resources and knowledge. A collaborative approach can facilitate the adoption of similar technologies and encourage transparency in sharing successful approaches and solutions. By avoiding redundant efforts and isolated strategies, departments and organizations can collectively navigate cybersecurity and compliance challenges.

The complexities of federal cybersecurity guidance necessitate a multifaceted approach to achieving compliance. Understanding what regulations are applicable and implementing multifaceted technologies and frameworks, such as automated tools and a zero trust architecture, enables organizations to adapt to evolving standards more easily. Additionally, prioritizing evidence collection helps organizations gain end-to-end visibility, compliance verification, and network monitoring for vulnerabilities. Amidst these changes, retaining security professionals is critical for developing effective strategies and leveraging institutional knowledge.

These four strategies empower federal and private sector entities to enhance their security posture swiftly, achieve compliance efficiently, and fortify their networks against emerging threats.

Matt Honea is Head of Security and Compliance for Forward Networks.