Evolution in Cybersecurity: Shifting from Specialty to Top-Tier, Collections of Technological Solutions

Evolution in Cybersecurity: Shifting from Specialty to Top-Tier, Collections of Technological Solutions

Headline: NSA and CISA Issue Guidelines for Securing Cloud Services in Federal Agencies

In a rapidly evolving cyber threat landscape, federal agencies are facing increased pressure to secure their cloud environments. Nate Fitzgerald, the head of product management for the Enterprise Security Group at Broadcom, has highlighted the trend of nation-state actors targeting lower points on the supply chain, making smaller organizations with fewer resources more vulnerable.

Fitzgerald suggests that suite vendors offer bundle pricing advantages and technological overhead advantages in the long term of a contract. He points out that agencies may move away from niche vendors towards suites of tools due to budget constraints. This shift could allow for a single Data Loss Prevention (DLP) policy to be applied across networks, endpoints, on-premises, and cloud services.

However, the convenience of cloud services comes at a premium. Fitzgerald compares cloud services to a convenience store, noting that they are not necessarily less expensive and can be more expensive than on-premise technology in some cases. Agencies are realizing this and are expecting budget reductions in fiscal 2026.

The National Security Agency (NSA) has issued eight emergency directives (EOD) and three binding operational directives (BOD) for national security systems. These directives are not public, but they warn agencies about increased nation-state attacks and offer ten ways to secure cloud services.

The Cybersecurity and Infrastructure Security Agency (CISA) has also issued guidelines for securing cloud services. In fiscal 2024, they issued one binding operational directive (BOD) to civilian agencies, urging them to secure their cloud services.

The NSA's guidelines for securing cloud services include:

1. Ensuring proper configuration management to avoid accidental data exposure.
2. Implementing strong Identity and Access Management (IAM) to prevent unauthorized access and credential theft.
3. Classifying data according to sensitivity to limit cloud exposure.
4. Regularly auditing Cloud Service Providers (CSPs) to verify their security measures and compliance status.
5. Maintaining Confidentiality, Integrity, and Availability (CIA) of DoD or agency data.
6. Using Infrastructure as Code (IaC) and automation to ensure cloud deployments are securely configured.
7. Securing cloud identity infrastructure to protect core cloud identity controls.
8. Managing Virtual Machines (VMs) and hypervisors carefully to prevent lateral movement and VM sprawl.
9. Maintaining compliance with legal and regulatory requirements.
10. Developing and following a cloud security framework to create a resilient security posture tailored to the agency’s mission and data risk profile.

These points collectively reflect NSA and DoD guidance on securely managing cloud environments within federal agencies, emphasizing continuous vigilance, technical controls, regulatory compliance, and strategic data governance to defend against evolving cloud threats. Agencies must be more strategic and tactical with their modernization efforts due to the increasing difficulty in defending the cyber threat environment.

When faced with budget reductions, a chief information security officer (CISO) may consider reducing the number of employees or the amount of money spent on tools. However, it's crucial to remember that data sovereignty laws and general compliance add complexity to cloud services, and hidden costs may be associated with the transformation of systems and applications to the cloud.

In conclusion, federal agencies must prioritize cloud security in the face of increasing threats and budget constraints. By following the guidelines provided by the NSA and CISA, agencies can secure their cloud environments and protect their sensitive data.

The financial implications of adopting cloud services must be carefully considered, as they can sometimes be more expensive than on-premise technology. In this regard, agencies might need to allocate additional funds in fiscal 2026 to manage the costs associated with cloud services (finance).

To bolster cybersecurity in cloud environments, federal agencies are urged to focus on configuration management, identity and access management, data classification, and regular audits of Cloud Service Providers (cybersecurity). This effort requires not only technical solutions but also compliance with legal and regulatory requirements (technology).

Read also: