Common Government Cybersecurity Standards – And What to Do to Comply
The public sector, including state and federal agencies, are at just as much risk of cyberattacks as the private sector. Yet, in terms of technology adoption, the public sector is known to lag behind the private sector – creating an environment in which some government organizations are failing to mount an adequate defense against threat actors.
In recent years, the Federal Government and some third-party organizations have introduced a range of standards to help guide the public sector’s cybersecurity efforts. Here, we’ll cover a few of these standards and outline what government and public sector organizations (and their contractors) can do to comply with them.
Public Sector Cybersecurity Standards
There is a long list of cybersecurity standards that apply on some level to the public sector. The standards below are either government-driven regulations or carry implications for public sector institutions:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidance for managing cybersecurity risk. Though it does not mandate any specific action, it is a guideline commonly used by federal agencies as well as state and local governments.
- The Federal Information Security Management Act (FISMA) comes with a mandate that states that federal agencies must implement and maintain appropriate security controls to protect their information and systems. Agencies must follow the NIST CSF alongside other NIST guidelines and standards.
- The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that process, store, or transmit payment card information. This includes public sector organizations that handle sensitive payment card data. PCI compliance requires meeting the specifications within the standard – and non-compliance can result in fines.
- The Health Insurance Portability and Accountability Act (HIPAA) covers any organization that handles protected health information (PHI). It mandates that covered organizations implement appropriate security controls to protect PHI.
- The Cybersecurity and Infrastructure Security Agency (CISA) includes the Cybersecurity Maturity Model Certification (CMMC), which is a cybersecurity framework that is, amongst other purposes, used by the DOD to evaluate the cybersecurity posture of contractors and subcontractors.
- The National Institute of Standards and Technology (NIST) SP 800-53 contains guidelines for the selection and implementation of security controls for information systems and organizations. It is used by federal agencies but also commonly applies to government contractors working on federal IT networks.
- The International Organization for Standardization (ISO) 27001 and (ISO) 27002 standards would be an example of non-government standards that have relevant lessons for the public sector and therefore apply to public sector organizations as they provide guidelines for information security management.
What Can You Do to Ensure Compliance?
Depending on which rules cover your organization, there are varying implications for non-compliance. But, at the very least, the standards listed above simply provide good advice that’s worth following if you want to keep your organization’s data safe, avoid ransomware attacks, and avoid downtime.
Consistently complying isn’t easy, however, and it takes a strategic approach that’s backed by the right resources – and the right tools. Some of the key things your organization needs to do include:
- Understand where your obligations lie. Many of the standards are broad, and enforcement varies from merely a recommendation to an absolute mandate that involves fines – or worse. To respond successfully, determine which are the most critical and most specific mandates, respond to those first, and work your way down.
- Set cybersecurity goals at the director level. C-level buy-in is critical to meeting compliance obligations. It can’t be left as a box-ticking exercise dealt with at the lower levels, because practical cybersecurity compliance is a matter of culture too – and it’s a culture that needs to trickle down from the top.
- Adequately resource cybersecurity compliance efforts. The complexity of today’s IT environments combined with the size of the cybersecurity threat adds up. It’s a big task. You’re not going to get it done with a minimally financed skeleton crew. Resource adequately.
- Start with good practice. Good practice is good practice for a reason – whether MFA, zero trust, or constant monitoring and audits. Don’t assume good practice is in place, and don’t minimize the importance of what appears to be common knowledge. Much of what’s mandated within cybersecurity standards is simply a repetition of good practice – and it’s repeated for a reason. Apply the most sensible principles anyway.
- Consider getting consultants on board. It’s complex, as we’ve said before, so don’t overestimate the abilities of your internal teams. This is valid particularly if you’re just starting to focus on compliance, because consultants can help add a degree of perspective and context to what you need to achieve. However, external consultants can provide a useful reality check even if you already have an experienced team.
- Stay in touch with the cutting edge. Cybersecurity is a fast-moving field and threat actors are rapidly upping their game, which means your cybersecurity tech must keep pace too. We’ve published a useful list of trends here.
- Apply live patching wherever possible. Patching is at the core of many cybersecurity frameworks, but is also one of the most difficult aspects of cybersecurity compliance to get right. Live patching can make all the difference: it reduces maintenance windows and resource requirements – and minimizes the window between patch release and patch application.
Cybersecurity compliance requires, without a doubt, a concerted effort that’s fully ingrained into organizational culture.
Your Response Needs to be Comprehensive
For the public sector, it comes down to several layers of cybersecurity standards. Some of these standards are optional, but a good idea to comply with anyway. Others mandate specific objectives, and organizations that are covered but nonetheless fail to meet these objectives will be subject to penalties.
A comprehensive, all-encompassing response is your only option. Understand what your organization needs to do to remain compliant and get all the help you can get: internal resources, consultants, and the latest cybersecurity defense tools: including live patching.