Zero Trust Passes Key Milestone

In January 2022, the Zero Trust Federal Strategy set a deadline of September 30, 2024, for agencies to adopt some level of zero trust architecture. Based on early indications, agencies have largely met zero-trust goals. The Federal CIO reported in early September that the 24 CFO Act agencies were all over 90% of the way to meeting the zero-trust goals. Beyond that group, the federal government as a whole was at 87% goal completion.

What's Changed?

The shift to zero trust is a response to the way government and citizens are using technology. With the increased use of cloud-based solutions, the traditional "castle and moat" security that protected on-premise infrastructure no longer supports the way applications are being deployed. Zero Trust focuses on continually verifying that users have permission to access the data and systems they are using. Gaining access requires coordination among a number of technologies that all work with a common set of user identification and access policies. Continue reading

Understanding the Technology Modernization Fund

The Technology Modernization Fund (TMF) was created by the Modernizing Government Technology Act of 2017 to more quickly fund needed modernization projects across government. With TMF, agencies can apply for funding to complete modernization activities without having to wait for the budget cycle to begin work on critical digital initiatives. Funding is incremental to ensure projects are working as expected.

Agencies must repay the investment either using the cost savings achieved with the tech implementation or through future budget allocations. The model is working. Of the 11 initial projects to receive TMF funding, two agencies have already reimbursed the fund, and five others have completed their projects and are in the process of reimbursement.

Continue reading

FITARA 14 Serves as Reset on Modernization Measurement

After issuing the last set of Federal Information Technology Acquisition Reform Act (FITARA) scores, the parties responsible for the program said they would begin examining ways to evolve the measurements to be more meaningful to today's modernization goals. The latest report was issued in July of 2022 and reflected a shift to new measures resulting in eight agencies with declining marks and 15 agencies holding steady with the previous grades. This backslide and stasis is not bad news and was expected given the removal of data center consolidation goals, an area all agencies had mastered with "A" scores.

This 14th FITARA scorecard should be viewed as a measure of where agencies are in relation to newer IT modernization goals. One such measure that drove low scores is the fact that many agencies have not fully transitioned to the Enterprise Infrastructure Solutions (EIS) contract. Numerous agencies report that they are close to finalizing the plans to do so and could be compliant with this measure by the next report. Continue reading

Schools Have to Learn the ABCs of Ransomware

Ransomware has traditionally been a practice where cybercriminals encrypt data and demand ransom in exchange for a decryption key. More recently, a growing number of these bad actors threaten to make this information public if they do not get paid. This shift in the practice of ransomware has increased the "attractiveness" of K-12 schools for cyber criminals. Information about children is among the most highly protected data there is, making it more likely ransoms will be paid to keep it private. For this and other reasons, K-12 schools are seeing an increase in ransomware activity. In 2021, there were at least 62 reported ransomware cases as compared to only 11 in 2018. 2021 also saw ransomware as the most common cyber incident for K-12 schools for the first time ever.

What Gets Compromised in a Ransomware Attack?

An incident in 2020 involving Fairfax County, VA Public Schools resulted in employee social security numbers being posted online. Hackers targeting a school district in Allen, Texas emailed parents with threats to expose their childs' personal information if educators did not pay a ransom. Showing the full swing of ransomware impacts from the serious to the mundane, a 2022 attack on the Griggsville-Perry School District in Indiana had many records compromised and leaked including a detention slip from December 2014 for a student who would not stop interrupting his health class. This shows the breadth of access that hackers had to documents and has led many schools to reexamine their file retention policy to reduce the amount of data accessible to bad actors. Continue reading

Putting a Value on Trust — Introducing Zero Trust Security Approaches

With so many high-profile hacks this year, it's easy to want to throw up your hands and say, "Is there nothing that can be trusted?!" Interestingly, that lament is what is driving the latest approach to cybersecurity -- zero trust. Zero trust is what it sounds like, a security approach centered on the belief that organizations should not automatically trust anything accessing their systems either inside or outside their perimeters. Instead, all people and devices must be verified before access is granted. To the untrained eye, this seems untenable. How, in this day and age, when we depend on digital information and connection to do most anything, can we use a process where we have to constantly verify identity and access permissions? Luckily, the practice of zero trust is more sophisticated than its premise.

Continue reading