The public sector is not typically known and heralded for its innovation efforts, especially in technology. While innovating inside a bureaucracy can be difficult, the government’s mission compels many within it to try. Currently, the public sector is moving the collective cybersecurity needle in three areas, which we will explore in this report.
The Compliance and Innovation Intersection
The government is known for its compliance-related acronyms. FISMA (Federal Information Security Modernization Act) and FedRAMP (Federal Risk and Authorization Management Program ) are notorious across the cybersecurity industry. FISMA and FedRAMP are most commonly associated with feelings of being stifled around building, moving fast, and innovation. But government agencies have been investing heavily to explore ways to ease the burden of compliance and empower technologists. Examples include:
- Control documentation as code in the form of OSCAL (Open Security Controls Assessment Language)
- Control inheritance woven into platform-as-a-service delivery models such as PlatformOne and batCave
- The push to make more data open and available, happening in large sweeping ways like data.gov and through smaller agency-specific initiatives, which facilitates more centralized access and governance
The government does not have the benefit of building as a startup does, which is totally green-field and without the same overhead of rules. This is sometimes why private sector organizations are rocked by compliance requirements when they grow or re-focus into places where they must now comply, prepare for, and audit against standards like SOC2 (service organization control 2), PCI-DSS (payment card industry Data Security Standard), ISO 27001, or HITRUST (health information trust alliance). There are useful lessons to be learned from the public sector when it comes to working quickly in a regulation-heavy environment. Replicating all these practices, though, would not be useful; what’s useful should be taken, contextualized, and built upon appropriately.
Supply Chain Risk Management
Many private sector organizations have some sort of supply chain focus; this usually comes in the form of a third-party risk management (TPRM) program. These programs are heavily focused on immediate providers and are assessed through a series of questionnaires, oftentimes filled out via self-attestation as part of the sales process.
There are a couple of major flaws with this process around information accuracy and the obvious incentives to just fill the questionnaires out expeditiously to move a sale, and subsequent deployment, forward. These questionnaires are also oftentimes a re-skin of common compliance standards like SOC2 mixed with some organization-specific feature requirements.
The public sector thinks about supply chain much more deeply, asking questions such as: Who are the providers of your providers? How are those providers influenced and financed? Where do the technology components come from? Are there any influences in the supply chain from adversaries (in the public sector, this is most likely foreign governments)? All these insights and more are factored into a broader risk assessment. Risk assessment is then provided as input into strategic decision-making. As supply chains continue to get more complex, innovation has occurred along the lines of automated data collection; aggregation of data; and more complicated risk models.
When Executive Order 14028 was released, the entire cybersecurity market conversation changed. Zero trust rapidly became a focal point of product development and security strategies. The intersection of a zero-trust strategy with software supply chains and software bills of materials (SBOMs) grew in prominence. Companies with innovative new approaches to solving these problems were founded and entered the market. All of this change happened when the executive order was released, which created urgency, then followed by surges of money in both the public and private sectors. The government, being one of the largest and most important enterprises around, has the power to create precedent and redirect focus.
The three areas of public sector innovation highlighted above are far from exhaustive. Any organization can innovate; any sector can innovate. I believe that there are rich learning opportunities in studying other sectors and disciplines, whether they are government-based or private sector-based. Abstracting ideas and methodologies from domain-specific contexts, and adapting them to work in your organization is a powerful improvement technique.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: