Increased public attention on data breaches, voting machine vulnerabilities and social media interference will drive policy toward more effective security, with the Defense Department's Cybersecurity Maturity Model Certification leading the way.
At the dawn of the new decade, Big Tech runs deep, embedded in every level of government as millions of citizens have become comfortable working online with local, state and federal agencies. Information is rarely more than a few clicks away for just about every law-abiding citizen -- and it is just as available to anyone bent on breaking the law. This revolution has been rolling out for a generation, and, for all intents and purposes, peak technology access and adoption has finally been achieved between the people and the public sector.
Up until now, government IT has been focused mainly on function: process automation, implementation and establishing networking policies. Today, however, highly publicized data breaches, election vulnerabilities and social media's influence on everything from currency to health care, government IT professionals and cyber-savvy lawmakers are charging ahead with unprecedented purpose and speed toward the greater goal of data protection.
When I first started working in government services over 25 years ago, cybersecurity was barely on the radar. As the private sector developed more sophisticated data protection technologies, the government's mission-critical defense systems followed suit, and civilian agencies played a persistent game of catch-up.
Fast forward to today: the pendulum is about to swing in the opposite direction, starting with the Defense Department's security-first initiative and its emerging Cybersecurity Maturity Model Certification (CMMC) requirements. DOD’s priority is to now protect every mission and to ensure security in every vendor along its supply chain, from the biggest industrial contractors to the smallest administrative and support firms. With the move to the cloud, mission-critical priorities must be certified for security across all missions due to supply-chain exposure and third-party vendor risk.
DOD's security-first initiative starts with its relationships with hundreds of thousands of contractors. Under the CMMC, all will be required to meet new standards starting in 2020 before they can respond to RFPs or renew contracts. Expect similar initiatives to spread quickly across all federal, state and municipal agencies. The standards will flow down into commercial supply chains, and vendors will naturally seek and adopt similar protocols that will spread throughout the private sector.
The security-first mentality will catch on quickly and become a national, government-inspired standard that will stand in sharp contrast to the slow trickle-up security that characterized public sector IT before 2020. The world will be a safer place, but beware: CMMC compliance requirements are stringent, audit processes are complex and certification is pass/fail. The learning curves, implementations and costs will be historic.
Government has always focused on security. What’s different now is that we’re seeing federalism in action with new privacy regulations coming out of the states. Voter expectations are driving the agenda for more privacy, which helps inspire government to return cybersecurity to its root purpose: protecting the data.
Bills are coming to Congress in efforts to give American consumers similar privacy rights as those granted under the EU’s General Data Protection Regulation. The move is on to establish a trade enforcement bureau, and the National Security Agency is updating guidance on cloud cybersecurity that will produce positive ripple effects.
Large-scale, politically motivated cyber attacks are playing out every day around the world. According to the Department of Homeland Security and law enforcement officials, nation states are now behaving like organized crime, wreaking havoc on federal systems and, among other targets, pressuring the nation's voting systems with every threat imaginable. Because cyber criminals are not waiting until November, voluntary voting security guidelines are prioritizing cyber defense and testing. Media attention in the upcoming political season will generate unprecedented new levels of public awareness of cyber crime and social media interference.
The general public, and most government IT organizations outside the defense infrastructure, will come to a better understanding that a single infected email, one unauthorized network access or a single line of unsecure code is all it takes to put national security and government services at risk. The danger was always there, but increased public attention will drive policy toward more effective security.
The bottom line is that private enterprises serving government agencies will be held to the same information management practices as the organizations they serve. Commercial entities will be compelled to achieve competitive parity in audit and assessment standards or risk losing business.
The government’s mission to protect personal, sensitive, proprietary and classified information from a wide range of malicious actors is enormous, essential and constant. Starting in 2020, government will be setting the pace with everything: the standards, the policies and the culture that will define the next generation of government information technology. Function has led the way for decades. Now, security is first, and function will follow.