Changing Requirements

A growing array of security-related regulations is designed to help agencies protect their data and IT infrastructure effectively. Complying with the dozens of regulations for strengthening cyber readiness, managing access, securing data in transit, and preventing and delaying attackers can nonetheless be challenging. In addition to requirements and regulations from individual agencies, there are government-wide directives, including:

National Cyber Strategy: This 2018 directive advises agencies on the importance of securing federal networks, centralizing management and oversight, managing risk, aligning risk management and IT activities, securing critical infrastructure and modernizing electronic surveillance.

Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, issued in 2017, requires agencies to improve incident communication and coordination, explore new technology to reduce cyber risk, and enhance the resilience of the internet and communications against botnets and other automated, distributed threats.
NIST Cybersecurity Framework: Adoption of the NIST Cybersecurity Framework is optional yet highly encouraged. The framework’s five functions (Identify, Protect, Detect, Respond and Recover) include recommendations on standards, guidelines and practices.

CMMC: Aimed solely at Defense agencies, this standard will help agencies measure their current security positions and outline steps needed to advance to the next level. “As a longtime security practitioner, I think it’s a big step, because it will give them a path forward to raising their overall security posture,” says Steve Thamasett of CDW·G. “It will allow them to tend to the forest as opposed to focusing on individual trees, which is the way things have traditionally been done.”