Working with the Feds? Enhance Your Security

If you want (or are) to work with the government, ensuring you have solid security in place can be as important in getting (or keeping) the contract as anything else.
Alex Hart, director of public sector channel sales at Symantec Corporation writes that Small businesses are increasingly under the gun when it comes to information security. Symantec’s recent Internet Security Threat Report showed that small business is now the second-most attacked industry, just behind education. At the same time, many small businesses are feeling the pressure to implement proper security measures in order to engage in potentially lucrative relationships with government organizations.
For a small business, opening that door to do business with a state, local, or federal government organization can be a key to success. One thing can lead to another and before long, a small business can become the provider to the public sector. Once a business has secured a pre-competed and/or pre-negotiated contract, it allows for quick and easy buying by the customer. Small businesses also hold specific classifications that make them more desirable, such as “small or disabled veteran owned” or “woman owned.”
Despite this, the government is well aware of the threats outside parties (i.e. consultants, vendors, contractors, etc.) can pose to its information. According to a recent GAO report, malicious code can be inserted into agency software and systems by using contractors. In other words, when a small business becomes a regular supplier to a government entity, their network becomes only as secure as the weakest link. Most agencies have reported that contract language has helped to establish security requirements for contractors.
FISMA and Small Business
In 2002, President Bush implemented FISMA (Federal Information Security Management Act) in order to ensure the security of information in government agencies (similar regulations exist for healthcare, local government and education). Understanding today’s atmosphere is crucial for small businesses since they are often required to undertake the same security measures, and comply with the same regulations, in order to work with government organizations.
Maintaining the integrity of the federal government’s information infrastructure is critical – in fact, maintaining a secure cyberspace has become essential to our homeland and national security. As the federal government’s reliance on electronic data increased, however, it was slow to address the need for stronger information security practices within the government. Finally, in 2002, the importance of information security was officially addressed through Title III of the E-Government Act, which is FISMA.
FISMA requires every federal agency, and any organizations whose information systems possess or make use of federal information, to develop, document, and implement an agency-wide, risk-based information security program. FISMA also requires periodic testing and evaluation of the effectiveness of the information security policies, procedures, and practices in place. While FISMA lays out the required elements of the security program, it doesn’t set any security benchmarks, or provide much in the way of guidance on how to achieve these requirements. That’s where The National Institute of Standards and Technology (NIST) comes in. NIST was enlisted to support FISMA by developing publications that provide guidance and best security practices to government agencies.
To date, NIST has developed a range of special publications, offering guidance on topics like security incident management, selecting and testing of security controls for information systems, and assigning levels of risk to information systems. Small businesses should utilize these publications to gain an understanding of the requirements that are imposed upon government entities and impose the same rules and regulations upon themselves.
Compliance numbers
Last summer, the Government Accountability Office (GAO) released a report that said agency compliance with FISMA is irregular. The GAO’s survey of 24 federal agencies found that 63 percent of information systems met the NIST guidelines, including the minimum-security controls mandated by FISMA. The GAO report found that compliance and accreditation varied greatly. Seven of the 24 agencies said more than 90 percent of their systems were certified and accredited as secure, while six reported less than half of their systems were accredited as secure. Only the Social Security Administration and the Nuclear Regulatory Commission achieved 100 percent accreditation and certification. NASA reported 98 percent compliance, and the National Science Foundation reported that 95 percent of its information systems met the guidelines. Seventy-seven percent of the Defense Department systems met the guidelines, according to the GAO.
Moving forward, it’s safe to say that any small business contractor or vendor that will make compliance more difficult to a government entity can expect roadblocks to conducting business with public sector organizations. Additionally, security regulations imposed by FISMA and other regulations are nothing unusual and will likely help a small business achieve a more secure information security posture themselves.
Small Businesses and Compliance
In a survey released in November 2004 by O’Keeffe & Co., achieving FISMA compliance and avoiding a compromised network tied for second place among the primary concerns of federal government CISO’s (chief information security officers) concerns. The survey found that while CISOs spend a large portion of their time on administrative activities related to FISMA compliance, they feel they lack the resources and funds necessary to achieve compliance. In fact, more than 60 percent of federal agencies with information security budgets of less than $500,000 found their managers spending at least three hours a day, on average, on compliance requirements.
Small businesses should ensure they are taking the necessary steps on their end in order to avoid complicating compliance matters further when working with government organizations. There are several regulatory compliance solutions that can help a small business with the following capabilities:
∑ Antivirus softwareóAntivirus software is still the best way to stay protected and small businesses should install it on all servers, desktops, and laptopsóincluding devices used to make remote connections to your network. Simply having the antivirus installed is not enoughófor maximum protection from the latest threats, you should check for new virus definitions daily, and also perform weekly system scans.
∑ Firewall protection–Without a firewall, small businesses information is at risk. A firewall is an essential protective wall around the network that keeps the information inside the network private and secure by constantly monitoring all data flowing in and out, looking for irregularities or signs of trouble. Use a network firewall, and also install a personal firewall on each computer.
∑ Threat Detection – FISMA requires that agencies appropriately respond to and report on incidents. An intrusion monitoring solution will help out in this area.
∑ Vulnerability Detection – This is another crucial aspect of regulatory compliance. A vulnerability detection solution will performs regular compliance testing, as stipulated by FISMA. There are also solutions that will scan for vulnerabilities to ensure weaknesses are isolated and resolved before they expose the network to attack.
∑ Security Remediation – FISMA, along with most regulations, requires that weaknesses are remedied as soon as they become known. This can be achieved through patch management or backup and recovery solutions.
∑ Information Management – The ability to make sense of all the security information coming in, as well as following up with appropriate countermeasures and reporting, is vital. Asset management solutions can assess risk to information systems. Other solutions can provide event correlation and agency reporting, as specifically required by FISMA.
Although it can be said that selling, at its most fundamental level, is the same regardless of customer, the truth is that selling in the public sector is different. To be successful in this space, small businesses should recognize its unique needs and regulations and be willing to invest the resources necessary to address them. By understanding potential customers’ needs at multiple levels, a small business will experience a deeper and wider relationship which will ultimately increase their value with customers in the public sector.


About Ramon Ray

Ramon Ray, Marketing & Technology Evangelist, & Infusionsoft. Full bio at . Check him out on Google Plus, Twitter or Facebook