Top seven government and public sector cyber trends

In brief

• 56% of executives surveyed do not know whether their defenses are strong enough for hackers’ new strategies
• 75% of all security failures by 2023 will result from inadequate management of identities, access and privileges
• 21% of organizations currently believe they have an effective framework to mitigate risk

With cyber threats increasing at an alarming rate, there has been a whirlwind of government activity related to cybersecurity. Viewing cybersecurity government guidance through many lenses will help agencies strengthen their cybersecurity efforts — enabling the strategies, architectural models and investments to move forward.

EY has highlighted seven cyber trends as they relate to federal and state and local agencies.

1. Cyber planning and strategy

• Federal agency cyber plans are required to implement zero trust architecture to comply with Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.”
• For state and local agencies, plans are required to receive grants via the Infrastructure Investment and Jobs Act.
• More regular cyber assessments are needed to understand current maturity and high-risk security gaps.

2. Cyber supply chain risk management (C-SCRM)

• New requirements for stronger C-SCRM for the federal government will be required through the Federal Acquisition Supply Chain Security Act and EO 13873.
• There is a lack of C-SCRM programs and resources to manage and mitigate supply chain risk and no proactive measures.
• Supply chain exploitation will continue to rise and be a major source of cyber attacks.

3. Cloud security

• Most agencies have not implemented cloud security controls to protect access, credentials, data and continuous safe operations.
• Federal, state and local agencies are at varying stages of cloud adoption

4. Identity and access management (IAM)

• Digital user IAM strategy, governance and transformation are required to comply with EO 14028. 
• Federal agencies have legacy IAM infrastructure that cannot keep pace with migration to cloud platforms and a fluid network perimeter.

5. Cyber operational technology (OT)

• Current OT used by state governments is vulnerable and poses risk to residents.
• Agencies that leverage OT do not have appropriate governance structure and lack integration with enterprise security.

6. Risk management framework (RMF)

• A large number of federal agencies have accumulated layers of redundant, ineffective and misaligned risk management controls that rarely address cyber risks sufficiently.
• Federal agency chief information security officers and chief privacy officers are revisiting RMFs following the National Institute of Standards and Technology (NIST) 2020 update to its flagship risk management guidance (i.e., SP 800-53 Revision 5).

7. Ransomware readiness and resilience (R3)

• A large number of agencies don’t have playbooks to respond to ransomware systematically to limit mission and financial impact.
• Overreliance exists on cyber insurance as the primary means to protect against ransomware. 
• Lack of basic cyber hygiene causes most ransomware attacks.