Government Security Standards Changing the Game

Government Security Standards Changing the Game

Mission-Critical Government Clients Will Soon Require Technology That Meets New Security and Environmental Standards

In response to recent cyber attacks against our country’s infrastructure, President Biden issued (in May 2021) an Executive Order to improve the nation’s cybersecurity. This Executive Order covers the following five areas:

  1. Removing barriers to sharing threat information
  2. Modernizing federal government cybersecurity
  3. Enhancing software supply chain security
  4. Establishing a Cybersecurity Review Board
  5. Standardizing the federal government’s response to cybersecurity vulnerabilities and incident

In this article, we will discuss the impact the government’s security changes will have on the unified communications field.

Unified communications offer efficient and flexible ways to communicate by combining voice, video conferencing, and instant messaging to the 21st-century workplace.  Unfortunately, these same communications tools are within reach of malicious actors who “eavesdrop on conversations, impersonate users, commit toll fraud, or perpetrate a denial of service effects.”

Definition: Unified Communications

Per Gartner:

Unified communications (UC) products—equipment, software, and services—provide and combine multiple enterprise communications channels, such as voice, video, personal and team messaging, voicemail, and content sharing. This can include control, management, and integration of these channels. UC products and services can also be integrated with networks and systems, IT business applications, and, in some cases, consumer applications and devices.

 

Unified Communication Devices Pose Risk

Integrators who deal with mission-critical unified communications have always had to comply with a precise mix of protocols that are somewhat different from those who work in a more commercial setting. And now, these mission-critical integrators face changing and growing government security standards. Specifically, there have been significant security issues involving Wi-Fi-enabled communication devices, government command and control centers, and large wall display screens.

The National Institute of Standards and Technology (NIST) defines “mission critical” as follows:

Any telecommunications or information system that is defined as a national security system (Federal Information Security Management Act (FISM) of 2002) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.

The Impact on Government Contractors

While still in their early stages, these changing government standards will directly impact organizations that contract with the US Government—with the most immediate effect on companies that provide IT and OT software or cloud services. But it is fair to say that, although the executive order focuses primarily on IT and OT providers, the full impact of these changes will be felt in both public and private sectors. Manufacturers and other industrial concerns will experience the impact as well.

All organizations interested in winning or keeping government contracts must be aware of the most common cybersecurity challenges government contractors experience.

Most Common Government Security Challenges

PhishingPhishing

Phishing is a social engineering attack that occurs when a cybercriminal impersonates a trusted entity and tricks the victim into opening an email, instant message, or text message. Opening the message then leads to the installation of malware.

According to cybersecurity leader, Imperva, Inc.:

Phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

Per a recent report by PhishMe entitled Enterprise Phishing Susceptibility Report, 91 percent of all cyberattacks are set in motion with social engineering. 

Data BreachesData Breach

Probably the most widely known recent data breach occurred with the December 2020 hacking of SolarWind’s Orion product, which was used by the Commerce, Energy, Homeland Security, State, and US Treasury departments. However, SolarWinds is not the only data breach that has affected the US government and its agencies. Statista’s study entitled Number of Data Breaches in the United States from 2013 to 2019, by industry,”  reports that in 2018 alone, there were 100 reported data breaches in the government/military sector.

Malware and Ransomware AttacksMalware Attack

Another major cybersecurity challenge for government entities and contractors is malware and ransomware. Malware is an umbrella term for any type of malicious software. Common examples of this are adware, spyware, viruses, and worms. Malware is introduced into a networking system via email attachments, misleading websites, peer-to-peer downloads, and phishing attempts.

Ransomware is a specific type of malware that blocks access to all or parts of a computer system. Access to the system can only be returned to the victim when they pay the cybercriminal a specified amount of money (a ransom). 

What Contractors Should Know About Government Security for 2021 

Requirements are changing, and there will be more change in the future. Following is a list of some things to make note of:

Security

1) The Internet of Things (IoT) Cybersecurity Improvement Act became official as of December 2020.  This act requires that all IoT devices purchased with government funds must adhere to specific security standards. This Act also addresses certain supply chain security issues.

2) The Federal Risk and Authorization Management Program (FedRAMP) specifies standards for authorizing, assessing, and monitoring cloud system security. Unfortunately, despite some attempts at improvement, this program’s processes are expensive, slow, and burdensome at best.

3) The Department of Defense (DoD) is completing a new structure to address specified cybersecurity risks that are posed by DoD contractors. The Cybersecurity Maturity Model Certification (CMMC) is closely tied with The National Institute of Standards and Technology (NIST) Special Publication 800-171. Much confusion surrounds the CMMC process; however, it is important to note that it is expected to become universally mandatory at some point in the near future. Matt Laszacs, Director of Technical Operations at Diversified, states, “ I think it’s [the CMMC] starting with a few commands now, and it’s eventually going to work its way into all federal contracts. Everybody right now that’s a government contractor is very busy preparing to meet these compliance needs.”

TAA-Compliant Devices A Factor

The 96th U.S. Congress passed the United States Trade Agreements Act (TAA) in 1979. The TAA authorizes government program management offices (such as the General Services Administration or GSA) to procure only those goods and services manufactured or wholly transformed in the US or a TAA-designated country. 

All government-operated facilities fall under the umbrella of the TAA. Therefore, those countries that work closely with the US are the only ones who can supply products to our government. In addition, TAA compliance requires higher standards than those that are non-compliant. And that includes cybersecurity too.  

Versa is TAA Compliant

It is a fact that TAA-compliant hardware is more reliable, meets higher standards, lasts longer, and can work under extreme operating conditions. Versa Technology is proud of its array of stellar TAA-compliant networking solutions. It has been our unwavering mission to sell top-of-the-line products that are versatile, user-friendly, cost-effective—and, yes, TAA-compliant.

To check out our products, click here.