EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
Government and Public Sector Cybersecurity Services
We are helping the federal government, state and local organizations, and nonprofit entities transform IT risk, cybersecurity and data privacy for now, next and beyond.
The EY Government and Public Sector (GPS) cybersecurity team is designed to scale to the most complex needs and span the full end-to-end cyber transformation journey. We help our clients from the very beginning stages of their cyber strategy through the operational delivery of their cybersecurity mission. We work with clients to address various aspects of cyber transformation, including:
How federal agencies are reducing cybersecurity risk
A hyper-federated federal organization builds and streamlines C-SCRM capabilities.
The EY cybersecurity team aims to help government agencies from the very beginning of their cyber strategy through the continued maintenance, compliance and resilience of the transformation journey.
Cybersecurity strategy
Capability assessment and benchmarking
Cyber program assessments
Zero trust program assessments (aligning to the DHS Zero Trust Maturity Model)
Cyber benchmarking and performance analysis
Strategy, planning and transformation
Cyber strategy and road map
Cyber operating model and organizational design
Cyber risk management and insights
Cyber risk quantification
Supply chain risk management
Risk management framework (RMF)
Cyber compliance and resilience
Compliance program readiness and remediation
Representative regulations and standards include NIST 800-53, ISO 27001, HIPAA, FISMA/FedRAMP, CMMC, PCI, GDPR, CCPA
Cyber war-gaming and tabletop exercises
Cyber crisis management and recovery surge support
EY data protection and privacy services help government agencies stay current with leading practices in data security and data privacy, as well as comply with regulation in a constantly evolving threat environment and regulatory landscape.
Data protection and privacy services
EY data protection (pdf) and privacy services and approaches are designed to help organizations protect their information over the full data life cycle — from acquisition, to disposal. Data protection services include:
Data protection strategy and transformation
Data protection strategy
Data governance strategy
Policies and procedures
Program governance and business alignment
Program risk assessment and remediation
Data protection program strategy and road map design
Data security strategy and architecture
Cloud strategy
High-value information asset (HVIA) protection
Data classification models and strategies
Data labeling and tagging methods and approaches
Data handling methods and approaches
HVIA identification across business units and functions
Insider threat assessment and protection
Application and system data assessments
Data discovery scanning
EY identity and access management (IAM) services help government agencies manage the life cycle of digital identities for users, systems and services by providing organizations a view of who has access to what resources. IAM focus areas include:
IAM strategy
IAM business case definition
IAM assessments and road maps
Access management
Single sign-on
Multi-factor authentication
Password self-service
Application programming interface (API) access control
Public key infrastructure (PKI) and certificate-based authentication
Fine-grained entitlement management and authorization
Identity governance and administration
Access requests and provisioning
Access certifications
Segregation of duties
Application onboarding
User life cycle management
Role-based access management
Enterprise identity repository
Privileged access management
Password vaulting and rotation
Secrets management
Session brokering
Privileged account governance
Endpoint least privilege
Threat analytics
EY cybersecurity architecture, engineering and emerging technologies services are designed to help government agencies protect their enterprises from adversaries that seek to exploit weaknesses in the design and operation of their technical security controls, including disruptive technologies such as cloud computing, blockchain and the internet of things (IoT). Focus areas include:
Architecture and engineering
Assessment, design and road map
Secure standards and pattern design
Security engineering transformation
Technical implementation and integration
Emerging technology
Cloud security
Operational technology (OT)
Cyber automation
Cyber analytics
EY next-generation security operations and response (NGSOR) services help build a more secure and trusted working world by helping government agencies protect their organizations with proven strategic and tactical approaches to defend, detect, respond and recover from cyber attacks. EY NGSOR services include:
Security operations center (SOC) transformation
SOC assessment, strategy and road map
SOC build and transformation
SOC technology requirements analysis and selection
Incident response governance, playbooks, metrics and reporting
Incident containment, eradication and recovery assistance
Cyber incident postmortem analysis
Attack and penetration testing
Internal, external, wireless, application and mobile attack and penetration testing
Red Team threat assessments
Cloud security assessments
Product security assessments
Application security
Application security assessments
Secure application architecture assessments and threat modeling
Application security program build
Secure development, security and operations (DevSecOps)
Vulnerability management (VM)
Cyber exposure assessment
VM program improvement strategy and road map
Scanning technology implementation and enhancement
Critical vulnerability response
Understanding the public sector landscape
With cyber threats increasing at an alarming rate, there has been a whirlwind of government activity related to cybersecurity. Viewing cybersecurity government guidance through many lenses will help agencies strengthen their cybersecurity efforts — enabling the strategies, architectural models and investments to move forward.
77%
77%
of companies saw increases in disruptive attacks in last 12 months, up from 59% in 2020.
50%
50%
of executives view cloud security as a significant barrier to realizing cloud value
56%
56%
of executives surveyed do not know whether their defenses are strong enough for hackers’ new strategies.
2000
2000
Increase of OT target attacks since 2018
EY Global Information Security Survey (GISS) 2021, Govtech, PWC
Our latest thinking on public sector cybersecurity legislation
Public pension providers are often targets of cyber criminals looking to access and steal the sensitive information of their members and employers. Read more.
Zero trust is a security model that moves from static, network-based cyber defenses to a continuously validated security configuration across five key pillars.
Our effective cyber program assessment and zero trust strategy practices directly translate to business security needs and protect the business applications even when the perimeter is breached and the network is compromised. The following are the crucial steps to consider while devising a zero trust strategy:
Define the business drivers and objectives that influence security resources
Assess the current cybersecurity architecture against zero trust maturity models to evaluate the gaps
Develop a short- and long-term strategic road map for embracing a zero trust architecture incrementally
Achieve compatibility with the existing service infrastructure and application landscape
Build business cases to justify the security transformation
We have expanded upon the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (DHS CISA) maturity model to ease the development of a road map to advance zero trust architecture. Specifically, we align the DHS CISA zero trust assessment to the EY cyber program assessment to enable mapping to multiple regulatory requirements (e.g., NIST 800-53), benchmarking against commercial sectors and alignment with “battle-tested” project charters.
Why EY?
Experience successfully creating transformational cyber, analytics and technology strategies for Fortune 500 companies, large federal agencies, state and local government organizations, and nonprofit organizations
Team of 11,000 cyber and risk professionals throughout the world and an extensive network of vendor and technology alliances
Highly experienced project teams trained in cybersecurity transformation and implementation, including more than 1,600 professionals with active US security clearances
Globally recognized and award-winning next-generation cyber capabilities in a business-led, agile fashion
Leaders in multiple analyst ranking reports, including recognition by Forrester as a top-ranked strategic leader and information security consulting provider
Purpose-driven culture of building a better working world that focuses on client outcomes by utilizing diverse high-performing teams, helping our clients find better ways of working, challenging today’s methods and unlocking innovation