Government and Public Sector Cybersecurity Services

We are helping the federal government, state and local organizations, and nonprofit entities transform IT risk, cybersecurity and data privacy for now, next and beyond.

Key trends in federal cybersecurity investment

Scott Smith 05 Apr 2023

What EY can do for you

The EY Government and Public Sector (GPS) cybersecurity team is designed to scale to the most complex needs and span the full end-to-end cyber transformation journey. We help our clients from the very beginning stages of their cyber strategy through the operational delivery of their cybersecurity mission. We work with clients to address various aspects of cyber transformation, including:

The EY cybersecurity team aims to help government agencies from the very beginning of their cyber strategy through the continued maintenance, compliance and resilience of the transformation journey.

Cybersecurity strategy

Capability assessment and benchmarking
Cyber program assessments
Zero trust program assessments (aligning to the DHS Zero Trust Maturity Model)
Cyber benchmarking and performance analysis

Strategy, planning and transformation
Cyber strategy and road map
Cyber operating model and organizational design

Cyber risk management and insights

Cyber risk quantification
Supply chain risk management
Risk management framework (RMF)

Cyber compliance and resilience

Compliance program readiness and remediation
Representative regulations and standards include NIST 800-53, ISO 27001, HIPAA, FISMA/FedRAMP, CMMC, PCI, GDPR, CCPA

Cyber war-gaming and tabletop exercises
Cyber crisis management and recovery surge support
EY data protection and privacy services help government agencies stay current with leading practices in data security and data privacy, as well as comply with regulation in a constantly evolving threat environment and regulatory landscape.

Data protection and privacy services

EY data protection (pdf) and privacy services and approaches are designed to help organizations protect their information over the full data life cycle — from acquisition, to disposal. Data protection services include:

Data protection strategy and transformation

Data protection strategy
Data governance strategy
Policies and procedures
Program governance and business alignment
Program risk assessment and remediation
Data protection program strategy and road map design
Data security strategy and architecture
Cloud strategy

High-value information asset (HVIA) protection

Data classification models and strategies
Data labeling and tagging methods and approaches
Data handling methods and approaches
HVIA identification across business units and functions
Insider threat assessment and protection
Application and system data assessments
Data discovery scanning
EY identity and access management (IAM) services help government agencies manage the life cycle of digital identities for users, systems and services by providing organizations a view of who has access to what resources. IAM focus areas include:

IAM strategy

IAM business case definition
IAM assessments and road maps

Access management

Single sign-on
Multi-factor authentication
Password self-service
Application programming interface (API) access control
Public key infrastructure (PKI) and certificate-based authentication
Fine-grained entitlement management and authorization

Identity governance and administration

Access requests and provisioning
Access certifications
Segregation of duties
Application onboarding
User life cycle management
Role-based access management
Enterprise identity repository

Privileged access management

Password vaulting and rotation
Secrets management
Session brokering
Privileged account governance
Endpoint least privilege
Threat analytics
EY cybersecurity architecture, engineering and emerging technologies services are designed to help government agencies protect their enterprises from adversaries that seek to exploit weaknesses in the design and operation of their technical security controls, including disruptive technologies such as cloud computing, blockchain and the internet of things (IoT). Focus areas include:

Architecture and engineering

Assessment, design and road map
Secure standards and pattern design
Security engineering transformation
Technical implementation and integration

Emerging technology

Cloud security
Operational technology (OT)
Cyber automation
Cyber analytics
EY next-generation security operations and response (NGSOR) services help build a more secure and trusted working world by helping government agencies protect their organizations with proven strategic and tactical approaches to defend, detect, respond and recover from cyber attacks. EY NGSOR services include:

Security operations center (SOC) transformation

SOC assessment, strategy and road map
SOC build and transformation
SOC technology requirements analysis and selection
SOC governance, playbooks, metrics and reporting
Managed threat detection and response services

Cyber threat resiliency and intelligence

Cyber threat resiliency assessment
Threat intelligence as a service

Incident readiness and response

Incident readiness and maturity assessments
Cyber crisis simulation (e.g., tabletop exercises)
Incident response governance, playbooks, metrics and reporting
Incident containment, eradication and recovery assistance
Cyber incident postmortem analysis

Attack and penetration testing

Internal, external, wireless, application and mobile attack and penetration testing
Red Team threat assessments
Cloud security assessments
Product security assessments

Application security

Application security assessments
Secure application architecture assessments and threat modeling
Application security program build
Secure development, security and operations (DevSecOps)

Vulnerability management (VM)

Cyber exposure assessment
VM program improvement strategy and road map
Scanning technology implementation and enhancement
Critical vulnerability response

Understanding the public sector landscape

With cyber threats increasing at an alarming rate, there has been a whirlwind of government activity related to cybersecurity. Viewing cybersecurity government guidance through many lenses will help agencies strengthen their cybersecurity efforts — enabling the strategies, architectural models and investments to move forward.

77%

of companies saw increases in disruptive attacks in last 12 months, up from 59% in 2020.

50%

of executives view cloud security as a significant barrier to realizing cloud value

56%

of executives surveyed do not know whether their defenses are strong enough for hackers’ new strategies.

2000

Increase of OT target attacks since 2018

Our latest thinking on public sector cybersecurity legislation

How to establish IAM metrics within the Zero Trust framework

22 Aug 2023 Scott Smith

Cybersecurity in pensions

Public pension providers are often targets of cyber criminals looking to access and steal the sensitive information of their members and employers. Read more.

25 Jul 2023 Josef Pilger + 1

How to modernize audit security and access management capabilities

Helping a federal agency improve audit security by architecting and implementing refreshed identity and access management technology.

22 Mar 2023

The zero trust journey: transforming cyber defense

Zero trust is a security model that moves from static, network-based cyber defenses to a continuously validated security configuration across five key pillars.

03 Aug 2022 Scott Smith

Top seven government and public sector cyber trends

Top government and public sector cyber trends

12 Apr 2022 Scott Smith

How the government is prioritizing cybersecurity

28 Jan 2022 Scott Smith

Zero trust in the public sector

Our effective cyber program assessment and zero trust strategy practices directly translate to business security needs and protect the business applications even when the perimeter is breached and the network is compromised. The following are the crucial steps to consider while devising a zero trust strategy:

Define the business drivers and objectives that influence security resources
Assess the current cybersecurity architecture against zero trust maturity models to evaluate the gaps
Develop a short- and long-term strategic road map for embracing a zero trust architecture incrementally
Achieve compatibility with the existing service infrastructure and application landscape
Build business cases to justify the security transformation

We have expanded upon the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (DHS CISA) maturity model to ease the development of a road map to advance zero trust architecture. Specifically, we align the DHS CISA zero trust assessment to the EY cyber program assessment to enable mapping to multiple regulatory requirements (e.g., NIST 800-53), benchmarking against commercial sectors and alignment with “battle-tested” project charters.

Why EY?

Experience successfully creating transformational cyber, analytics and technology strategies for Fortune 500 companies, large federal agencies, state and local government organizations, and nonprofit organizations
Team of 11,000 cyber and risk professionals throughout the world and an extensive network of vendor and technology alliances
Highly experienced project teams trained in cybersecurity transformation and implementation, including more than 1,600 professionals with active US security clearances
Globally recognized and award-winning next-generation cyber capabilities in a business-led, agile fashion
Leaders in multiple analyst ranking reports, including recognition by Forrester as a top-ranked strategic leader and information security consulting provider
Purpose-driven culture of building a better working world that focuses on client outcomes by utilizing diverse high-performing teams, helping our clients find better ways of working, challenging today’s methods and unlocking innovation

The public sector cybersecurity team

Scott Smith

EY US Government and Public Sector Cybersecurity Partner/Principal

Author on topics such as identity and access management, security analytics and machine learning. Long history advising government clients to successfully deliver long-lasting, transformative impacts.

Washington, DC, USA

Gary Winch

Principal, Government and Public Sector Cybersecurity, Ernst & Young LLP

Cybersecurity and technology leader. Retired Army Colonel with a son currently attending West Point. Distance runner and Boy Scout Council Advisory Board Member.

Tysons, USA

Scott Feigenbaum

Managing Director, Government and Public Sector Cybersecurity, Ernst & Young LLP

Leader and team builder with a proven track record of growth with an emphasis on our people, capabilities and clients.

Tysons, USA

Rakesh Thakur

Managing Director, Government and Public Sector, Ernst & Young LLP

Fostering digital resilience. Safeguarding states, communities and educational institutions.

Boston, USA

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

Insights

Trending topics

Spotlight

Services

Spotlight

Careers

Spotlight

Industries

Case studies

About us

Spotlight

Government and Public Sector Cybersecurity Services

Related topics

Key trends in federal cybersecurity investment

What EY can do for you

Cybersecurity strategy, risk, compliance and resilience

Data protection and privacy

Identity and access management

Cybersecurity architecture, engineering and emerging technologies

Next-generation security operations and response

Understanding the public sector landscape

Our latest thinking on public sector cybersecurity legislation

Zero trust in the public sector

Why EY?

The public sector cybersecurity team

Scott Smith

Gary Winch

Scott Feigenbaum

Rakesh Thakur