October was first named Cybersecurity Awareness Month in 2004 through a joint effort of the National Cybersecurity Alliance and the U.S. Department of Homeland Security. In the following two decades, the campaign has evolved into a valuable way to spotlight the role everyday citizens have in the effort to "Secure Our World."
The campaign's consumer outreach focuses on the top four ways to stay safe online:
- Use strong passwords and a password manager
- Turn on multifactor authentication
- Recognize and report phishing
- Update software
While these practices are commonplace in government agencies, security teams are constantly evolving how they implement and manage cyber efforts including in the areas of identity management, phishing, and software updates.
Identity Management
Password and multifactor identification fall under the umbrella of identity management, which is currently a huge focus of government as agencies look to move to a zero trust architecture. Identity is a key pillar in CISA's zero trust maturity model and agencies are looking for ways to meet the requirements of the architecture while minimizing the burden on users.
The Department of Veterans Affairs (VA) is standardizing on the use of two digital identity verification platforms, Login.gov or ID.me. Users will be required to create an account on one of these two platforms to access VA digital sites and services. Both platforms provide strong identity verification capabilities that meet federal mandates and zero trust guidelines.
Phishing
Almost half of phishing attacks target government employees. This is not surprising given the value of the data that employees have access to and the criticality of government systems. In fact, in March of 2024 the Federal Communications Commission (FCC) was the subject of a phishing operation that deployed a fake login page that was a duplicate of the one used by staff to authenticate their credentials. Luckily, the agency was made aware of the fake site and took action to address it. Examples like this are why many governments have doubled down on training. For example, Arizona sends employees test phishing emails that are designed to look like legitimate messages. The training that results from those test emails has seen click rates on them drop from 14% to 4%.
Software Updates
Regularly updating software ensures that identified security vulnerabilities can be addressed in a timely manner. A government-wide focus on software supply chain security is helping agencies verify that software residing on their networks is up to date. Practices are now in place that require software vendors to attest that their solutions adhere to National Institute of Standards and Technology supply-chain security requirements. These requirements include following secure development practices and employing continuous monitoring to ensure compliance with security standards and to detect any new risks or threats.
The government IT community has embraced October as an opportunity to refresh the public-sector workforce on their individual and collective role in ensuring the security of our nation. We've pulled together a sample of the events happening throughout the month.
- Federal News Network's Cyber Leaders Exchange 2024 (October 1-2, 2024; virtual) - The Federal News editorial team sits down with cyber leaders and experts to dive deep into efforts across government to bring the White House vision to life and strengthen federal cyber capabilities.
- ATARC's Federal Zero Trust Summit (October 3, 2024; Reston, VA) - Esteemed federal officials share insights into navigating the complexities of cyber resilience, illuminating key milestones in their journey, and offering invaluable best practices for fortifying federal networks in an era of relentless cyber challenges.
- CyberSmart 2024: Cybersecurity Excellence in Government (October 3, 2024; Austin, TX) - Almost all states are considering legislation governing AI and protecting their residents from possible harm, but one recent report finds this hodgepodge approach can lead to gaps and confusion and create new risks. Learn more about AI security risks and the tools and processes that can mitigate them.
- Cybersecurity Summit and U.S. Cyber Challenge Awards Ceremony 2024 (October 9, 2024; Reston, VA) - This summit will address the critical infrastructure sector on several topics including election security, overall cybersecurity initiatives including workforce, and the impact of Artificial Intelligence as it addresses the challenges and risks of security.
- Resilient Operations - Policies, Tools and People Needed to Keep Gov Working (October 16, 2024; webcast) - Disruption can come in many forms: natural disasters, cyberattacks, budget cuts, administration change, etc. But the strength of your agency depends on how well it can bounce back from these setbacks and periods of transition. Hear from government and industry leaders about how to create a more resilient operation.
- 2024 Tech Summit (October 24, 2024; Arlington, VA) - The AFCEA Washington DC Cybersecurity Technology Summit will cover a range of exciting topics, including Artificial Intelligence (AI), cybersecurity, cloud services, supply chain security, and Zero Trust architectures, to name a few.
- CyberTalks 2024 (October 30, 2024; Washington, DC) - This event is an opportunity to hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat cybersecurity risks.
For more on government cybersecurity check out these resources from GovWhitePapers and search additional events on GovEvents.
