Guest editorial by Dr. Brian Gant
Companies and organizations have been increasingly aware of the need for cybersecurity to safeguard their data and that of their customers. However, even the best intentions don’t necessarily lead to sound practices in an area that can be so confusing for the average person.
Boards or leaders may understand the need to hire experts, but it can be difficult to find qualified professionals or understand the steps they suggest. Fortunately, a recent raft of federal regulations and guidelines is bringing some clarity to the process of securing cyber assets.
In May 2021, shortly after hackers launched a ransomware attack that shut down the Colonial Pipeline running from Texas to New York, the White House issued the Executive Order on Improving the Nation’s Cybersecurity (EO 14028).
(Hear from Anne Neuberger, the deputy national security adviser for cyber and emerging technology, says private companies need to make cybersecurity a top priority. She says the threat from Russia is evolving. She speaks on “Balance of Power.” Courtesy of Bloomberg Technology and YouTube. Posted on Apr 1, 2022.)
The order called on the government to “bring to bear the full scope of its authorities and resources to protect and secure its computer systems” to, among other things, break down the separate silos of cyber threat information at different agencies, naming the Cybersecurity and Infrastructure Security Agency (CISA) as the clearinghouse for threat information, modernizing the government’s approach to cybersecurity and improving the security of the software supply chain.
Since that decree, both CISA, which is part of the U.S. Department of Homeland Security, and the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, have issued regulations, standards, and guidelines aimed at fulfilling the order.
The time for change seems to be right because not only are government agencies jumping on board to comply, but private industry is as well. Organizations have realized that they hold the keys to the (data) kingdom, and those keys require regulatory protection.
Changes are rippling up and down the federal government through agencies, large and small, but here are some of the major ones put forth by CISA and NIST.
(What is CISA? The Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. We connect our stakeholders in industry and government to each other and to resources, analyses, and tools to help them build their own cyber, communications, and physical security and resilience, in turn helping to ensure a secure and resilient infrastructure for the American people. Courtesy of CISA and YouTube. Posted on Apr 20, 2022.)
CISA’s requirements under EO 14028 are related mostly to the federal government. The private sector is included under the call for better sharing of cyber threats and security incidents between government contractors and the agencies they serve, as well as between the contractors themselves.
Other tasks assigned to the agency covered improving the government’s cybersecurity standards, incident detection, investigation, and response. The EO also called on CISA to establish a board to review cyber incidents and make related recommendations to Homeland Security.
The agency looked to modernize the government’s cybersecurity by implementing cloud security, which hasn’t been a priority though many agencies have moved to cloud systems and storage. It’s also working with other agencies to create agile standards that’ll change as threats and vulnerabilities change, unlike the current staid system.
Using multifactor authentication is a simple way to protect systems, and CISA is now insisting on it for all access to government networks. In conjunction with NIST, it created a system of standards for secure software development.
Other industry standards that the federal government is now implementing include encryption of data in transit and in storage.
Incident Detection and Response
In the name of early detection, CISA is promulgating the “continuous hunt” mindset, so agencies are always on alert, detecting and responding to cyber threats.
Part of the agency’s efforts include treating cyber incidents like other threats, meaning investigation and response are formal processes with a common language and standardized responses to various types of threats.
CISA is developing requirements for logging threats, maintaining the logs, and sharing them throughout the federal government in hopes of learning from attacks to improve future response to them. It’s coordinating with the Office of Management and Budget (OMB) to ensure sufficient funding for these cybersecurity efforts.
Cyber Safety Review Board
The Cyber Safety Review Board (CSRB) was established in early 2022 as a joint public-private board to analyze cybersecurity incidents and recommend remediation techniques.
Its first task was to assess the Log4j open-source software vulnerability that surfaced in late 2021.
(Learn More. Join Rob Silvers (DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board) and Heather Adkins (Deputy Chair and Vice President, Security Engineering, Google) for a discussion about the Cyber Safety Review Board’s inaugural review of the Log4j vulnerability. Rob and Heather will talk about key report findings, how industry and government can implement the recommendations, and how the Board is changing the cyber ecosystem. Courtesy of BlackHat and YouTube. Posted on Nov 17, 2022.)
By July 2022, the board released its report calling for continued attentiveness to Log4j vulnerabilities, adoption of cybersecurity best practices, a move to a system of secure software development, and research into changes needed to shift national thinking around cybersecurity.
(Learn More. High-risk research and a long-term vision are in NIST’s DNA. Leaders from industry, academia and government discuss why NIST is the perfect place to create these new and revolutionary measurement technologies. Courtesy of National Institute of Standards and Technology and YouTube.)
EO 14028 instructed NIST to create standards for improving the security of software development as well as for labeling consumer Internet of Things (IoT) devices and software with cybersecurity information.
This isn’t an exhaustive list of NIST’s undertakings related to EO 14028, but a brief look at the standards likely to reach the most consumers and impact the highest number of companies.
Secure Software Development
Some parts of the software industry were already moving toward more secure development by building security considerations into every stage of production rather than leaving it as a separate process at the end.
For example, Microsoft required testing for potential vulnerabilities at every interface of every product.
NIST’s recommended Secure Software Development Framework (SSDF) puts forth a set of steps to reduce, uncover, and tackle the common causes of vulnerabilities, including the following:
Code-based (static) analysis (aka SAST)
Dynamic analysis (aka DAST)
Frequently, software is developed in a time crunch with security considerations being left until the end, when they’re sometimes overlooked in the rush to get a finished product out the door.
The SSDF aims to make security a baked-in part of software creation, eliminating the problem of security as an afterthought. NIST relied on expertise from CISA in developing the SSDF.
EO 14028 instructed NIST to develop labeling criteria for IoT devices and software, so consumers could see what testing and assessment the product had gone through to ensure its security.
(Learn More. Mobile devices offer convenience and flexibility for organizations. NIST has developed resources to help organizations improve their mobile device deployments while taking into consideration their security and privacy needs. Courtesy of National Institute of Standards and Technology and YouTube.)
In May 2022, the agency said it had discharged its duties under the EO in a report sent to the assistant to the president for national security affairs. It didn’t recommend a specific label or labels, but rather criteria that should be included in the development of a labeling program.
The criteria included a consistent design across all products; a third party to coordinate and develop standards; and mutual recognition of standards and labels across borders, which might require U.S. government leadership. NIST also pointed out the need for a massive undertaking to educate consumers about any labeling program as well as general cyber hygiene measures everyone should take.
The report also brought up the liability producers incur by attesting that a product meets certain standards. Because of that, makers of IoT devices and software may be reluctant to voluntarily embrace such labels. Accordingly, the agency pointed out that legislation may be required to gain industry participation.
Though NIST has satisfied the EO requirements, it will still be some time before consumers see cybersecurity labels appear on IoT devices or software.
NIST also developed standards for making cybersecurity supply chain risk management (C-SCRM) part of the overall risk management activities for government organizations. The intent is to help these entities avoid software that introduces vulnerabilities into government networks, whether due to negligence, malicious intent, or counterfeit software.
More to Come
Certainly, other agencies are working on securing the nation’s digital assets — the Transportation Security Administration (TSA), U.S. Food and Drug Administration (FDA), Federal Aviation Administration (FAA), and Federal Trade Commission (FTC), to name a few — and the efforts of CISA and NIST will be ongoing.
At some point, data privacy will have to be reconciled with data security. The good news is that companies and the federal government seem to be aware of the need to work together across private and public sectors to protect the homeland by sharing knowledge, reporting incidents, and finding solutions to our common cybersecurity problems.
If it did nothing else, EO 14028 emboldened CISA to act as the nation’s cybersecurity agency, uniting all the disparate, siloed efforts of various agencies.
It also gives all organizations, public and private alike, a definitive source for interpretation of the rules and resources for following them as more guidelines and best practices are developed.
About the Author
Dr. Brian Gant, an accomplished information technology, cybersecurity, and critical infrastructure educator and researcher, is an Assistant Professor & Program Coordinate of Undergraduate Cybersecurity Programs at Maryville University.
Dr. Gant brings more than 15 years of teaching experience into his practice. He is a 2003 alumnus of Maryville and continues to serve in various capacities across campus.
Dr. Gant is dedicated to practical instruction and allowing his students to think abstractly about complex problems which require multilayered approaches. His instruction is hands-on, allowing his students to learn at different levels and communicate with each other as future cybersecurity leaders.
CISA Honored in 2022 ‘ASTORS’ Homeland Security Awards Program
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
Active shooter incidents are often unpredictable and evolve quickly.
Amid chaos, anyone can play an integral role in mitigating the impacts of an active shooter incident. DHS aims to enhance preparedness through a “whole community” approach by providing products, tools, and resources to help you prepare for and respond to an active shooter incident.
(For example, CISA’s “Active Shooter Preparedness: School Security and Resilience” video provides information geared towards educators, school resource officers, and school administrators who serve in important roles in safeguarding schools. Courtesy of CISA and YouTube.)
To access the most applicable information, please select the appropriate category for your application from the following: First Responders and Security Professionals, Private Citizens, Critical Infrastructures and Business, Active Shooter Preparedness Workshop/Webinar, Employee Vigilance and De-escalation, Products/Resources.
Learn More, through CISA’s series of videos for additional information.
(The DHS Active Shooter PowerPoint Presentation and Webinar video is used by DHS-qualified subject-matter experts as a visual reference to guide critical infrastructure owners and operators with a better understanding of developing an organization’s emergency action plan. Courtesy of CISA and YouTube.)
Using a vehicle as a weapon in a terrorist attack is not new.
Recent terrorist incidents and violent extremist propaganda demonstrate that using vehicles as a weapon continues to be of interest to those wishing to cause harm.
Attacks of this nature require minimal capability but can have a devastating impact in crowded places with low levels of visible security.
To aid our nation’s first responders and citizens, CISA offers the following resources: the Vehicle Ramming Self-Assessment Tool, the Self-Assessment Tool Resources, the First Responder Toolbox, General Resources, and videos.
(Learn More. The FBI, DHS, and TSA—in coordination with the Truck Renting and Leasing Association and the American Car Rental Association—have released a short training video to help vehicle rental employees identify suspicious activities and behavior by customers who may wish to use a rented vehicle for nefarious purposes. Courtesy of the FBI – Federal Bureau of Investigation and YouTube. Posted on Aug 3, 2022.)
To contact the Vehicle Ramming Attack Mitigation team or to get more information on Vehicle Ramming Attack Mitigation, please contact CISA.ISD.OSP.VehicleRammingMitigation@cisa.dhs.gov.
Nitin Natarajan, Deputy Director, Cybersecurity and Infrastructure Security Agency (CISA)
Nitin Natarajan was appointed to serve as the Deputy Director for CISA on February 16, 2021. Before joining CISA in February 2021, Natarajan served in various public and private sector positions spanning over 30 years.
Most recently, he served as an executive at consulting firms providing subject matter expertise on a number of topics, including IT, cybersecurity, homeland, and national security, critical infrastructure protection, environmental emergency management, continuity of operations, and health security matters.
Natarajan also held several federal government roles, including serving as the Deputy Assistant Administrator for the Office of Land and Emergency Management at the U.S. Environmental Protection Agency, the Director of Critical Infrastructure Policy at the White House/National Security Council, and the Director at the U.S. Health and Human Services overseeing their critical infrastructure, continuity of operations (COOP), and medical logistics programs.
Prior to serving in the federal government, Natarajan served in positions at the state/local government level and served as a hospital administrator.
Natarajan started his career spending 13 years as a first responder in New York including service as a flight paramedic. He was the Commander of a federal medical response team, based in New York, and has extensive experience deploying to natural and man-made disasters throughout the nation.
He holds an undergraduate degree from the State University of New York and a graduate degree from the United States Naval Postgraduate School.
(Hear from Nitin Natarajan to learn more about the Cybersecurity and Infrastructure Security Agency (CISA) is an operational component of the Department of Homeland Security (DHS). Under the leadership of Director Jen Easterly, CISA works to understand, manage, and mitigate risk to the nation’s cyber and physical infrastructure in the public and private sectors. Their virtual mini-Industry Day events allow CISA and industry leaders to have meaningful discussions about cybersecurity, infrastructure, risk management, and communications capabilities, challenges, and technologies, as well as future business opportunities. Courtesy of CISA and YouTube.)
In response to the 1995 domestic terror bombing at the Oklahoma City Alfred P. Murrah Federal Building, the Interagency Security Committee was created and, with collaboration, establishes policies, monitors compliance, and enhances the security and protection of Federal Facilities.
(2020 marked the 25th Anniversary of the Interagency Security Committee. On October 19, 1995, six months after the Oklahoma City bombing of the Alfred P. Murrah Federal Building, Executive Order 12977 created the Interagency Security Committee to address continuing government-wide security for federal facilities. Courtesy of CISA and YouTube.)
With growing recognition among the Federal security community that a “one-size-fits-all” approach is no longer acceptable, the ISC’s Risk Management Process has become the standard for physical security within the federal government.
Realizing the need to educate security personnel, the ISC RMP Training Program was formed. The ISC RMP is the first training program recognized and certified by the ISC to train federal security professionals in the ISC Risk Management Process.
This is done through collaborative exercises and hands-on interactive instruction based on an Instructional Systems Design, a nationally recognized process.
The Risk Management Process and Facility Security Committee Training Course awards Continuing Education Units is offered at no cost to participants and provides an understanding of the ISC Risk Management Process Standard, and the roles and responsibilities of Facility Security Committees.
To learn more about the ISC RMP Training and how to register, please visit www.cisa.gov/interagency-security-committee-training.
Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border and crime rates that are dramatically higher than before the Pandemic across the United States.
These challenges have become a national priority with an influx of investments in innovative new technologies and systems.
Enter American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields, with a circulation of over 75,000 readers and many tens of thousands more who visit our AST website at www.americansecuritytoday.com each month.
The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Ceremony Luncheon Banquet, an exclusive, full-course plated meal event, in the heart of New York City.
This year’s exclusive sold-out ‘ASTORS’ luncheon featured representatives of law enforcement, public safety, and industry leaders who came together to honor the selfless service of those who stand on the front lines, and those who stand beside them – providing the capabilities and technologies to create a safer world for generations to come.
This year marks the 20th anniversary of the Department of Homeland Security (DHS), which came out in force, to discuss comprehensive collaborations between private and public sectors that have led to the development of intelligence and technologies which serve to protect our nation.
The continually evolving ‘ASTORS’ Awards Program emphasized the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders.
The keynote address was provided by U.S. Customs and Border Protection (CBP) Office of Field Operations (OFO) Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino, who described the changes to CBP through the tragedy of 9/11 and the relentless commitment to its mission and ongoing investment in the latest technologies and innovations to protect our borders and Homeland.
The resounding theme of the DEAC’s remarks was her pride in the women and men of the CBP and their families who support them.
AST was also joined by Legendary Police Commissioner William Bratton, who spoke, as always, about his love for the City of New York, the Profession of law enforcement to which he has dedicated his life, and for which he continues to drive thought leadership and innovation.
New York City Police Department (NYPD) Chief of Department Kenneth Corey, came out to address Luncheon attendees and shared some of his experiences and the changes in policing he’s witnessed over his more than three decades of service.
FDNY Chief Joseph Jardin honored the men and women of the FDNY, not only those who currently serve but all of those who have selflessly served, with a special recognition of those lost on 9/11.
Chief Jardin spoke about the continuing health battle of many following 9/11 with cancer and respiratory disease, yet now knowing the full consequences, would not have made a different decision to respond.
As Chief Jardin noted, mission-driven service is in the lifeblood of every firefighter, volunteer and sworn and has been so throughout the history of the Fire Service.
Former head of the FBI’s active shooter program, Katherine Schweit joined AST to sign complimentary copies of her book, ‘STOP THE KILLING: How to End the Mass Shooting Crisis,’ thanks to the generosity of our 2022 ‘ASTORS’ Awards Sponsors.
The 2022 ‘ASTORS’ Awards Program was Proudly Sponsored by NEC National Security Systems (NSS), ATI Systems, Automatic Systems of America, guardDog AI, Fortior Solutions, IPVideo Corporation, Rajant Corporation, RX Global, and SIMS Software!
We were pleased to welcome the esteemed New York City Fire Department (FDNY); the New York City Police Department (NYPD); and the NYC Hospital Police, as well as Executive Management from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and many other DHS agencies, Federal law enforcement agencies, and private/public partnerships such as the National Association of Women Law Enforcement Executives (NAWLEE), the 30×30 Initiative, a coalition of professionals advancing the representation of women in policing; and Operation Lifesaver, Inc. (OLI) (rail safety advocates).
The prestigious Annual ‘ASTORS’ Homeland Security Awards Program highlights the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.
In 2022 over 240 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields.
Each year, to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands at ISC East, the Natural Disaster & Emergency Management Expo (NDEM EXPO), and the ASIS NYC Expo.
ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.
Corporate firms, the majority of which return year to year to build upon their Legacy of Wins, include:
Advanced Detection Technologies, AMAROK, ATI Systems, Axis Communications, Automatic Systems, BriefCam, Canon U.S.A., Cellbusters, CornellCookson, CyberArk Fortior Solutions, guardDog.ai, Hanwha Techwin of America, High Rise Escape Systems, IPVideo Corporation, Konica Minolta Business Solutions, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Select Engineering Services LLC, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and West Virginia American Access Control Systems, just to name a few!
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, Be On the LookOut for the 2022 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2022 ‘A Year in Review’.
The Annual CHAMPIONS edition includes a review of ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.
It will serve as your Go-To Source throughout the year for ‘The Best of 2022 Products and Services’ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware, and Networking Security – to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It will also include featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2022 ‘ASTORS’ Awards Program.
A complete list of 2022 ‘ASTORS’ Award Winners will be announced shortly.
For more information on All Things American Security Today, as well as the 2023 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at firstname.lastname@example.org.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos