Using the Modernizing Government Technology Act to Improve Cybersecurity (Now)

When the Modernizing Government Technology Act (MGT Act) was signed into law in 2017, its purpose was to provide agencies with funds they can apply to their IT modernization efforts, including those around cybersecurity. Agencies could apply for funding from the Technology Modernization Fund, which was designed to help them move on from legacy systems and invest in agile, transformative technologies.

As it turns out, the establishment of the MGT Act has proven even more visionary than anyone could have imagined.

Due to COVID-19, the need to modernize legacy cybersecurity systems and move to the cloud has greatly accelerated. The pandemic has also cracked open a door for insidious hackers to exploit vulnerabilities through a wide range of tactics, from ransomware to DDoS/DoS attacks and more. Indeed, earlier this year the U.S. Department of Homeland Security and the U.K.’s National Cyber Security Centre issued a stark warning of a rise in malware and ransomware.

Of course, security threats were on the rise long before COVID-19. According to a report issued by Verizon near the beginning stages of the pandemic, ransomware accounted for 61% of public sector malware-based incidents, with 33% of breaches caused by insiders. And, an early 2020 report by the Cybersecurity & Infrastructure Security Agency (CISA) notes “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations.”

There is No Perimeter

But, COVID-19 has expanded the attack surface. Remote work is now the norm, and users are increasingly reliant on cloud-based applications. As more government employees work from home, capacity and security demands have overwhelmed systems and processes.

These factors pose challenges for IT security teams tasked with securing increasingly distributed networks and an array of potentially vulnerable applications. Whereas before they may have relied on traditional security solutions to defend their network perimeters, today there are essentially no perimeters.

As such, organizations should consider investing MGT Act funds in multiple forms of dynamic protection to ensure they are secure on different fronts. For example, monitoring privileged user access and implementing identity management protocols ensure that only the right people have access to a network and highly sensitive information. Meanwhile, application security tools offer protection against API vulnerabilities, injection, cross-site scripting attacks, and more.

Organizations must also ensure their security policies are consistent across multi- or hybrid cloud platforms, which can offer great flexibility and cost benefits but also introduce an enormous amount of complexity. Different cloud providers adhere to various policies—including shared responsibility models that establish that the customer is responsible for data security—and it can be challenging to get a clear picture of application security across multiple clouds. Automating security across on-premises and various cloud environments can ensure applications are subject to the same policies and remain secure regardless of where they are housed.

A Framework for Success

As agencies consider investing their available funds into new cybersecurity technologies, they should also begin building cybersecurity frameworks to help them put those technologies to use. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is an ideal starting point.

The NIST Cybersecurity Framework helps agencies establish better risk management practices by taking a holistic lifecycle approach to risk management. Using the guidelines set forth by NIST, agencies continually assess and mitigate risk through five core functions: identify, protect, detect, respond, and recover. The aforementioned technologies fit neatly into all of these categories, as they provide visibility into potential vulnerabilities and ways to remediate in the event of a breach.

The NIST Cybersecurity Framework is a useful tool because it gives organizations a standardized structure through which they can create highly adaptive security programs. It offers flexibility so organizations can customize it to meet their own unique needs while providing a common blueprint for managing risk and addressing vulnerabilities. Organizations can incorporate their own security policies into the Framework while taking advantage of NIST’s recommended standards and best practices.

Don’t Pay the Price

According to a recent Ponemon report, the average cost of a data breach is an eye-watering $3.86 million. That’s staggering, particularly considering that many organizations—government agencies included—are now being asked to do more with less as budgets continue to constrict in light of the pandemic.

Clearly, agencies cannot afford to let their guard down, both literally and figuratively. Now is the time to invest some of the money that is available through the MGT Act in modern, automated cybersecurity solutions that will protect against evolving threats, saving both data and potentially millions of dollars. Learn more about how F5 solutions help federal agencies secure their networks, reduce costs, and succeed in their missions.

By Michael Coleman, Federal Solution Engineering Leader at F5