How the New Federal Cybersecurity Requirements Effect the Private Sector Cloud Compliance Landscape
by Rackspace Technology Staff
There’s a reason why the rise of ransomware attacks has not directly impacted U.S. federal government agencies. The federal government’s cybersecurity requirements are among the strictest in the world.
Until this year, the federal government has required all organizations working with government agencies to meet its extensive cybersecurity guidelines. Many private sector organizations will also be held to the same strict standards — particularly organizations working within the nation’s supply chain.
Last year, cloud security and compliance took on new urgency with the signing of Executive Order (EO) 14028 by President Joe Biden, titled “Improving the Nation’s Cybersecurity.” The executive order was created to support the nation’s cybersecurity posture and protect the critical infrastructure and federal government networks underlying the nation’s economy and way of life.
The mission to strengthen U.S. cybersecurity has reached a critical stage because a weak link in the supply chain can disrupt the nation’s security in several ways. For example, the SolarWinds cyber breach infiltrated several government agencies, including The White House. EO 14028 aims to overcome weak links like this one.
A more robust cybersecurity landscape will benefit individual organizations, their partners and the nation. However, getting there will be a significant challenge for private sector organizations unfamiliar with the territory.
What it Takes to Meet Federal Cybersecurity Requirements
According to EO 14028, "Protecting our nation from malicious cyber actors requires the Federal Government to partner with the private sector. … The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
EO 14028 establishes a framework for developing and improving the current security protocols and best practices and requires private sector organizations working within the supply chain to meet its security standards. Meeting its standards means meeting thousands of requirements from nearly one dozen cybersecurity regulatory organizations, such as NIST, FedRAMP, HIPPA, DoD, FISMA and HITRUST CSF.
Among the new requirements that software developers in the private sector must adhere to are becoming more transparent about their products and applying more stringent controls. EO 14028 states that the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace. For example, some of the many requirements of the new executive order are:
- Service providers must share all cyber incidents and threat information impacting government networks.
- Software developers must secure cloud services, implement a zero-trust architecture, and mandate multifactor authentication and encryption deployment within a specific time period.
- Organizations must implement baseline security standards to develop software sold to the government, including providing greater visibility into the software and publicly available security data.
Meeting federal government cybersecurity standards can be a multi-stage, multi-year project costing millions of dollars. To illustrate the complexity involved, completing just one criterion in the FedRAMP requirements — password-based authentication — requires companies to meet the following guidelines:
- Minimum password complexity, character count and case use
- Minimum number of changed characters when creating new passwords
- Cryptographic protection for all stored and transmitted passwords
- Minimum and maximum lifetime password restrictions
- Password reuse restrictions
Rackspace Technology® is Already Federally Compliant
“Rackspace Technology has provided cloud security and compliance for government agencies and companies working with the government for over 20 years,” said Alysia Ford, Product Manager IV, Government Services – US. “We have helped agencies and organizations meet the federal government’s rigorous guidelines and solve real-world security challenges. Now public companies can leverage our long-standing government-approved capabilities to develop their federally approved cybersecurity and compliance program — saving years of work and significantly lowering the cost.”
“Rackspace Technology is one of the leading cloud security and compliance providers with federally approved credentials,” said Jeffrey Tehovnik, Product Engineer, Government Solutions. “For example, we have achieved and maintained FedRAMP Moderate level and JAB authorization for over six years, including 17 agency authorizations. Only 255 other cloud solutions are FedRAMP authorized, and only 197 are authorized at the FedRAMP Moderate level. Also, 20 U.S. federal government agencies have reviewed our cybersecurity platform services and authorized them for government use.”
Currently, Rackspace Technology supports over 40 customers in the government supply chain, delivering high security and compliant environments.
Among the federally approved cloud security and compliance capabilities that Rackspace Government Solutions can provide private sector organizations to help them become federally compliant with EO 14028 are:
- Assess the organization’s current state and develop a strategy and roadmap to meet the new directives.
- Transition its own federally approved “inheritable controls” for cybersecurity compliance to the organization.
- Supplement the organization’s cybersecurity team with an elastic team of experts who can provide ongoing support.
Learn more about what it will take for your organization to meet the federal government’s new requirements.