The U.S. government has invested billions into strengthening America’s cyber defenses, committing enormous resources to improving security within critical infrastructure and federal networks. The need to safeguard and secure national assets and data comes at a time when the world has seen increased sophistication and precision in cyber-attacks and the channels used to deploy them. Our nation’s networks face growing threats that continue to evolve, generating more awareness and scrutiny on the policies and products used to protect them.
Real time analytics have allowed businesses and governments to quickly pivot and respond to internal and external issues at lightning speed, enabling faster and efficient decision-making while creating nimble business processes. The advantages are enormous, but behind the scenes lies a rising threat.
This new dynamic way of business relies heavily not only on sensitive data but also on the continuity of the systems that enable its operation. Protection of this digital ecosystem has never been more critical. Cyber-attacks and malicious users have become increasingly difficult to deter, spurring the creation of an entire industry of products and services to combat the issue. Unfortunately, breaches continue to pose a significant risk to our nation, despite those efforts.
According to the Identify Theft Resource Center (ITRC), 2020 saw a total of 1,108 publicly reported U.S. data breaches1 in both the private and public sector. The U.S. government has experienced firsthand the effects of compromised systems. Having been susceptible to many forms of attacks over the years. The table below illustrates noteworthy exposures within the past three years affecting the U.S. federal, state, local, and education (SLED) sectors:
The attacks from 2020 alone have impacted over 300 million people, but the true concern is not only the sheer number of breaches, but also the change in behavior and nature of the attacks themselves. Data from 2020 indicates that cyber criminals increased ransomware, phishing, and supply chain attacks, in many cases targeting corporations and government entities rather than individuals, enabling malicious actors to earn bigger bang for their buck. Like many of the years before it, 2020 attacks spanned all industries and categories, including the military, federal government, state and local government, education, IoT, banking/credit/financials, and medical/healthcare sectors. Verizon issued its annual Data Breach Investigation report2 and noted the following 2020 statistics:
- Public Sector: Experienced 346 separate breaches and 6,843 incidents
- Education: Experienced 228 separate breaches and 819 incidents
- Finance: Experienced 448 separate breaches and 1,509 incidents
- Healthcare: Experienced 521 separate breaches and 798 incidents
- Utilities: Experienced 26 separate breaches and 148 incidents
Though it is difficult to determine the full extent of the damage caused by these incidents, there is no question 2020 upped the cyber threat ante, particularly for U.S. government targets. We still may not truly understand the impact such a surge has and will continue to have on our nation’s security.
These breaches demonstrate that attacks are not solely perpetrated by lone hackers hiding behind a shrouded computer screen – more and more frequently they such attacks are carried out by far scarier and more threatening players: nation states. As the global marketplace for information technology (IT) products expands, cyber espionage has become a more pressing and prevalent threat.
Company and government end users are tasked with purchasing solutions to help fortify their organization’s security posture. Unfortunately, these solutions are not always as locked down and secure as assumed. The proverbial trojan horse hiding in source code presents a significant threat to the security of sensitive data and can have wide ranging effects on not only a single system but sometimes an entire interconnected network.
GOVERNMENT REACTION & IMPACT
To address these growing threats, the U.S. government has implemented a variety of policies and mandates to help mitigate cyber and supply chain risk. Many of the products used to protect our critical infrastructure are now required to perform rigorous security hardening and testing prior to government purchase and deployment. These mandated reviews come in the form of security certifications, which require stringent third-party assessment of security claims, features, and source code. While agencies cannot assume that all certified products are guaranteed safe, these certifications provide end users with a high degree of confidence in product security and dependability.
The U.S. federal government relies heavily on three specific certifications to ensure IT products meet security requirements: Federal Information Processing Standard (FIPS) 140, Common Criteria, and the Department of Defense Information Network Approved Products List (DoDIN APL). Depending on your product, your customer, the security requirements within your industry, and the environment in which your product will operate, one or all of these certifications could apply. Many of these certifications have interdependencies, so understanding the process and requirements to successfully achieve them is paramount. Devising a sound security certification strategy is essential to working with the U.S. and international governments.
The Federal Information Processing Standard 140 is a U.S. and Canadian co-sponsored security standard for IT hardware, software, and firmware solutions that utilize cryptographic functions. In U.S. government procurement, all solutions that use cryptography in a security system that process sensitive but unclassified information must complete a FIPS 140 validation.
31 member countries have mutually agreed to recognize the Common Criteria as a set of guidelines which define a framework for evaluating security features and capabilities of IT security products. The U.S. government mandates Common Criteria certification of security products for federal purchases.
The Department of Defense Information Networks Approved Products List (DoDIN APL) was created to identify solutions that were tested and trusted to address government security concerns within the DoD. This represents the agency’s master list of products available for purchase that are secure, trusted, and approved for deployment within the DoD’s technology infrastructure.
THE FUTURE PROOF APPROACH FOR FEDERAL, STATE, LOCAL & EDUCATION
The market for validated products continues to grow, not just across the United States, but globally. In 2020 alone, 196 products received a new FIPS 140 validation, 396 products received a new Common Criteria certification, and 55 products were newly listed on the DoDIN APL.
Though many agencies within the federal government require FIPS 140 validation, Common Criteria certification, and listing on the DoDIN APL before purchase, other public sector entities are often left without such clear-cut guidance. How can they make smart and safe choices for their IT environment?
Certain non-federal organizations need the most stringent security validation for IT products, like the public utilities operating sensitive industrial control or supervisory control and data acquisition (SCADA) systems, for example. Other state, local, and education institutions may not require the same level of pre-purchase testing as, say, the Department of Defense. However, as cyberattacks against the public sector skyrocket, all organizations benefit from choosing products validated by tried and trusted review processes.
For those public sector institutions searching for a benchmark on how to protect their data and networks, they need not look further than the already defined methods and metrics used at the federal level.
Taken together, the meticulous evaluations for FIPS, Common Criteria, and DoDIN APL cover a wide range of cybersecurity specifications, from cryptography and security management to privacy and much more. Solutions that have already met the high bar for such procurement are the easy choice for implementation at the state and local level.
Though important, certifications are only the starting point for safeguarding U.S. public sector networks and data. In addition to purchasing validated products, organizations of all shapes and sizes should seek to better track and limit the number of outbound connections the software sitting in their environments must make to outside services. Adopting a zero-connectivity approach, wherever possible and practical, is the most surefire way to identify and prevent malicious compromise.
ACRONIS SCS & CORSEC ARE HERE TO HELP
Acronis SCS has solutions ready to help organizations adopt this future proof approach. Its hardened backup software is FIPS 140-2 validated, Common Criteria certified under both agent and server profiles, and available as the only full disk image backup and disaster recovery point solution on the DoDIN APL. Acronis SCS partnered with Corsec to navigate these complex, years-long validation processes, which required the software to undergo rigorous testing and review by government and trusted third-party labs.
Looking beyond its certifications, Acronis SCS Cyber Backup 12.5 Hardened Edition was purpose built to meet the unique security and usability needs of sensitive government and utility air gapped, ‘no internet’ networks. With those sensitive environments in mind, the hardened software never makes outbound connections over the internet back to a home server.
This unique zero-connectivity design, in contrast to subscription-based software options, eliminates the risk of exploitation by software supply chain vulnerabilities or backdoors by empowering IT administrators with actionable, real-time threat detection. If an attempt at outside communication does occur, for example, an IT administrator knows immediately that something is amiss. That type of certainty is invaluable when sensitive government information and operations – whether at the federal, state, local, or education level – hang in the balance.
As U.S. public sector organizations contend with more frequent and sophisticated cyber threats, Acronis SCS is here to help keep mission critical assets and data safe from compromise or downtime. Corsec, for its part, stands ready to assist vendors across the IT sector as they pursue the certifications required to better serve their customers.
ABOUT CORSEC SECURITY, INC.
For over two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2 / FIPS 140-3, Common Criteria (CC) and the DoDIN APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.
ABOUT ACRONIS SCS
Acronis SCS is an American cyber protection and edge data security company exclusively dedicated to meeting the unique requirements of the US public sector. Our innovative and comprehensive cyber protection, backup and disaster recovery, anti-ransomware, and enterprise file sync and share software solutions ensure operational assurance and data security across America’s federal, state, and local government, education, healthcare, and nonprofit computing environments.