Today the IT Alliance for Public Sector (ITAPS), a division of ITI, published its State Cybersecurity Principals and Best Practices, a set of recommendations which encapsulates state and federal practices that have proven to be mature and effective in promoting a secure cyber environment at the state and local government level.
The private sector owns and operates 85 percent of critical infrastructure in the United States, and the information technology (IT) industry supplies nearly the entire cyberspace infrastructure. As a result, the technology industry is the natural leader in the creation and deployment of cybersecurity tools, products, and services. In recent years, state governments have increased their efforts to protect state digital infrastructure, and the IT industry can help advance those efforts by providing products and services that embed cybersecurity into their DNA. In the current environment of shrinking state budgets and ever-increasing cyberthreats, industry and government must collaborate to secure the state’s digital assets.
In developing cybersecurity policy, states should ensure alignment with international, market-driven standards. The NIST Cybersecurity Framework serves as one of the preeminent cybersecurity standards. Its adoption enables organizations to focus their resources on enhancing security solutions that can adapt with the evolving threat, rather than making a multitude of adjustments to ensure compliance with a series of static requirements and specifications. The Framework is a risk-based compilation of guidelines designed to help organizations assess current capabilities and draft a prioritized roadmap toward improved cybersecurity practices.
Similarly, as states look to leverage the full capabilities and potential of cloud services, their cybersecurity models will be radically transformed. States should look to existing federal efforts such as the Federal Risk and Authorization Management Program (FedRAMP), which is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud computing products and services. Many cloud-computing providers are already compliant with FedRAMP standards, while many more are in the process of becoming compliant. Preference should be given to those who have obtained and are pursuing FedRAMP approval. States should utilize FedRAMP certification to better inform their acquisition of quality cloud products and services. When looking to standardized cybersecurity, states should avoid trying to reinvent the wheel, and should instead embrace existing standards developed by industry and leading professionals.
In our recommendations, ITAPS believes that using a consistent approach is preferable to a siloed, inconsistent and disconnected state-by-state approach. To be most effective in enhancing cybersecurity, state and local governments can do the following:
- Partner with Industry. State governments can leverage partnerships with the private sector by utilizing industry expertise through the acquisition of products and services with high levels of security and reasonable terms and conditions.
- Adopt Industry-Recognized Security Standards. State governments should adopt standards recognized by industry to better align security across all agencies and departments.
- Standardize Cloud Security. State governments should plan on standardizing their approach to cloud security and leverage existing federal certification programs for use at the state level.
- Establish an Outcome Focused Governance Structure. A state’s governance structure should cover all aspects of the enterprise and encourage cross-organizational collaboration and transparency.
- Actively Share Information. There are a wide variety of different models for the sharing of cyber threat information, and integration centers have emerged in recent years to provide a vital link between all levels of government, the private sector, and academia.
- Create a Culture of Awareness. State governments should invest in training and education for their workforces to enhance overall cybersecurity awareness.
While cybersecurity represents a significant challenge at all levels of government, the IT industry is constantly adapting and creating products that can be used to provide high levels of protection for states and their citizens. The industry is eager and willing to share its expertise to better protect state infrastructure and will continue to advocate for strong partnerships with state and local governments.