Is 2024 the Year of Federal Data Protection?CMMC, Zero Trust, RMF and NIST SP 800-53 Can Help Mitigate Data Loss, Insider Risk
October marks the start of a new fiscal year for the federal government. And this year, all eyes are on data protection.
See Also: AWS Security Foundations: For Dummies
In part, this is because data loss prevention and insider risk management have dominated recent headlines. Data exfiltration is no longer limited to attacks that begin outside data landscapes. Instead, an increasing number of risks are coming from inside the network. Human error is one of the most common risk vectors of business data loss, playing a role in 82% of breaches, while 28% of data breaches are attributed to internal actors or insiders.
In order for federal agencies and Defense Industrial Base organizations to remain mission-focused, they must leverage secure ecosystems to protect the data that lives inside increasingly cloud-centric operations.
Read on to learn how recent executive actions such as the
Navigating Interplay Between CMMC, Zero Trust, RMF, NIST 800-53
Government agencies bear the responsibility of handling a vast array of critical data that ranges from classified documents and personal citizen records to national security information. The consequences of a data breach in this context can be dire, including compromised national security, identity theft, unauthorized access to confidential information and more.
CMMC, the DOD's RMF and NIST SP 800-53 work in parallel to up-level our federal security posture as a whole. For example, safeguarding sensitive information is a core objective of CMMC 2.0, which is currently expected to be implemented across all defense contracts by October 1, 2025. Likewise, the RMF is intended to improve information security, strengthen risk management processes and secure interoperability between federal agencies.
But knowing where to start with each of these programs can be a challenge. Some DIB organizations may not have dealt with compliance requirements such as CMMC, so it can be overwhelming to implement. But it's important to think about CMMC and the RMF as more than just security check boxes. Instead, organizations should be looking for ways to align with larger overarching policy standards such as NIST SP 800-53 and zero trust as a way to stay ahead of evolving cyberthreats.
One solution is for DIB and DOD organizations to leverage technology platforms with built-in security features that can enable them to more easily align with overarching security guidelines.
How Federal Agencies Can Get Ahead of Insider Risk and Data Loss
For organizations just beginning on a compliance journey and seeking to adhere to one of the aforementioned frameworks, a simple strategy can help jump-start the process.
First, organizations must start by evaluating current technology and processes, otherwise known as baselining, to understand where any gaps might exist. Organizations can then look for ways to maximize compliance within existing technology investments and plan for future investment areas as needed. In many cases, cloud service providers offer security products that are native to the platform as part of their cloud offerings. Because these native solutions were built by the same cloud provider, they typically offer easier integration, improved coverage and increased platform protection.
Consider the emergence of AI and adaptive protections in insider risk management. Many organizations rely on data loss prevention tools to manage insider risks. DLP solutions are designed to provide visibility into the sensitive data within an organization and can show when someone sends sensitive data to unauthorized users. While these tools are essential, they often lack context relative to other signal or activity.
For example, a typical DLP alert will not distinguish if the alert was triggered by a first-time or repeat offender. These kinds of alerts require human intervention and research work to correlate multiple signals across disparate sources. Relying solely on content classification-based policies can result in security teams experiencing alert fatigue, potentially causing them to miss critical data security risks caused by insiders.
By contrast, adaptive protections focus on contextual signals rather than content classification. In this scenario, user activity is weighted based on multiple data points such as the user's role within the organization, how their activity compares to other users in a similar role, the sensitivity of the data involved and more.
For example, if a user tries to complete an action that is typically outside of their role - such as downloading sensitive data locally or even removing data sensitivity labels - the platform can automatically respond by removing further access to that data in real time, without requiring manual intervention from a security analyst. Because adaptive protections rely on AI and ML, they're a great way to augment an already alert-fatigued workforce and increase the quality of the alerts that are received.
The Department of Defense is the largest attack surface in the world and faces more cyberthreats than any organization on the planet. DOD and DIB organizations, by extension, have rapidly evolved in embracing secure technologies. But so have our adversaries. It's now more important than ever that we align with secure frameworks in concert with adopting leading built-in technology solutions so that federal agencies can better protect against the cyberthreats of tomorrow.
Author: Megan Maley, Microsoft Federal, Data Security Specialist