Securing Government Agencies: Essential Eight and Other Efforts
Four years ago, the Australian Signals Directorate created the “Essential Eight” — recommendations to secure federal entities and improve cybersecurity protections. This month, the Attorney General’s Department announced plans to extend the protective security policy framework (PSPF) to require implementation and audit of all eight areas. This change reflects a movement we’re seeing in governments worldwide to be more assertive in improving government agency security.
The Australian Essential Eight identifies eight areas of focus for non-Corporate Commonwealth Entities (NCCEs) to improve their security. The eight areas are:
- Application Control
- Patch Applications
- Configure Microsoft Office Macro Settings
- User Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- Multi Factor Authentication
- Daily Backups
Each area comes with guidance to improve maturity of the area. So far, NCCEs appear to be struggling to implement the first four, but the Attorney General’s office intends to move forward with the recommendation to mandate implementation of all eight areas.
The Australian government’s plans to double down on cybersecurity for its own departments came at the same time President Biden issued an Executive Order on Improving US Cybersecurity aimed at improving efforts to “identify, deter, protect against, detect, and respond to these actions and actors.”
Though broader in scope than the Australian Essential Eight, and specifically targeted at improving supply chain security, there are areas of overlap that should be noted:
- Requirement for Zero Trust Architecture
- Requiring use of Multi-Factor Authentication
- Requiring use of Encryption at Rest and in Transit
- Use of trusted source code from vendors, including a Software Bill of Materials (SBOM)
- Standardizing incident response processes across all agencies
- Use of Endpoint Detection and Response (EDR) capabilities
Both governments recognize the need for their own agencies to improve their cyber defenses, as well as their dependence on private sector suppliers.
General supply chain security is also a concern among the European Union. They’re working to update their Directive on Network and Information Security Recommendations (NIS 2) recommendations, with a focus on improving essential organization’s cyber resiliency.
Their recommendations also contain elements similar to Australia and the US:
- Facilitating standardized incident response and data sharing across members
- Requiring adequate vulnerability management programs
- Use of end-to-end encryption
- Regular audits of cybersecurity programs
The UK Government is updating their National Cyber Security Strategy, calling for input into the process with a strong emphasis on supply chain security. The UK’s National CyberSecurity Centre (NCSC) already provides a number of recommendations that overlap the Australian, US, and EU directives. Service providers are already encouraged to comply with the Cyber Assessment Framework (CAF).
How Do These Directives Make an Impact Short-term?
Not surprisingly, these changes primarily focus on government agencies and the vendors who supply them. Governments are recognizing that their technology footprint extends beyond their network edge, and that their ability to function depends on their third (and fourth and fifth) party ecosystem. As such, they’re implementing requirements for their own agencies to be more secure, while also addressing supply chain cybersecurity risk.
Agencies and their suppliers will need to amend their security strategies to account for these new requirements. Most of the controls are already in place to some degree — the effort will be in understanding and improving the scope and maturity of existing practices. Few of the directives require a set timeline, which may be helpful, although there is an expectation of urgency in the directives.
Like most organizations, government agencies struggle to meet their existing requirements. Technical debt, lack of skilled staff, and lack of financial resources are common challenges across the public sector. Security leaders will need to work with vendors and internal teams to determine the most cost-effective ways to implement and expand these controls. Vendors will need to be transparent with their public sector customers about the features, benefits and costs of their services, and work in partnership with the agencies to deliver the control objectives without overburdening them with point solutions that require significant integration efforts.
What’s the Long-term Outlook on Securing Government Agencies?
Companies outside the immediate public sector supplier ecosystem will benefit from these requirements, as vendors continue to improve their products and pass those features on to non-government customers. Most of these requirements are re-iterations of existing control requirements in other sectors, which means most functionality already exists. However, new functionality, such as the US Software Bill of Materials (SBOM), will require changes in company product development and security operations processes.
It is reasonable to expect that new functionality should be incorporated into general product offerings. It will be interesting to see if vendors choose to only deploy changes to their Federal products. Regulators who oversee other industries will adopt these requirements for healthcare, financial services, utilities, etc., and expected controls for those environments will follow. Cyber Insurers, regulators and customers will expect these controls to be present, regardless of public or private status.
Watch this space — there’s more to come!
What Next Steps in Security Should Government Agencies Take?
As the impact of cyber events spreads across more nations, with greater negative effect, expect to see more governments jumping on the bandwagon. Complying with a framework like NIST or ISO is helpful, but governments appear to be more targeted in terms of which controls are mandated. The focus may start with their own agencies, but will ultimately extend to their supply chain, and anyone who works with vendors in the supply chain (in other words, everyone).
Governments can no longer expect recommendations to be adopted voluntarily — they will need to impose requirements. Unfunded mandates won’t work. Plus, agencies will need additional funding to identify the resources necessary to deliver these control outcomes.
Vendors serving multiple governments will face a barrage of requirements that will not always align. This isn’t new, but it will likely get more complicated in the short term. International cooperation between governments on standards and requirements will go a long way to keeping the cost of security low, but again, expect it to get worse before it gets better.
For security professionals, a closer look at the kind of controls being required reveals a set of basic hygiene requirements. Items like encryption, multi-factor, vulnerability management and coordinated incident response have been part of security frameworks for years — there are few surprises. So, consider the basic elements of a company or agency’s security program, and make sure they’re being executed with a high degree of maturity, extended into the organization as much as possible. Ensure the security, IT and general teams understand their roles in executing these controls. Use these mandates to spur action from non-security parts of your organization (never let an incident, or a change in regulation, go to waste).
Remember, there are two primary concerns addressed by these directives: confidentiality, through the lens of data theft and espionage; and availability, through ransomware and other service-interruption attacks. With this in mind, focus on the controls that will be a primary defense/response capability for these kinds of events. Zero trust architectures, including multi-factor authentication, backups and disaster recovery programs, and improving incident response and threat intelligence capabilities, will all be helpful in preventing and responding to government agency-related security threats.
Resources for Security Professionals
Preparing for these new requirements can be daunting. Various resources are available to security professionals who are trying to navigate this changing landscape:
- Work with your industry Information Sharing and Analysis Center (ISAC) and other guidance groups to understand the new requirements and how to interpret them.
- Reach out to your security vendors. Not only will they have solutions to solve some of your control gaps, but they’re also likely to be subject to the same regulations. Ask them how they’re approaching the problem, and learn from their experiences.
- Think tanks are constantly reviewing and dissecting these directives. Keep in touch with them to get a calibration check on your security strategy.
- Talk to your industry peers. At conferences and roundtable discussions, you can ask questions and share concerns. Take advantage of the community’s knowledge and experience.
Try Duo For Free
See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.