5 Keys to Improving Federal Agency IT & Cybersecurity

A Booz Allen team recently gathered in Dallas, Texas, for the Department of Energy’s (DOE) CyberCon Conference. The event included insightful discussion on the special IT and cybersecurity challenges facing large “federated” agencies with distinct bureaus, each with their own mission-specific environments, procedures, and technologies, all technically part of one organization.

Addressing these challenges starts with understanding the mission or missions at stake. This perspective can inform a holistic approach to enhancing, upgrading, and securing various systems. Agencies also need plans to equip the workforce with the necessary tools and technology to implement solutions quickly and securely.

Based on our CyberCon panel sessions, here are five key considerations for federated agencies aiming to improve IT operations and reduce redundancy, while also strengthening their cybersecurity posture at the enterprise level. 

Zero trust is a cybersecurity strategy designed to counter the threats of today and tomorrow. Implementing zero trust isn’t just a technical shift. It’s a cultural shift, too. It entails setting up a comprehensive infrastructure to safeguard and enhance mission-critical operations.

A zero trust architecture (ZTA) is a security model based on three core principles:

• Never trust, always verify
• Implement a least-privilege access policy
• Assume a breach mindset

In this model, access to resources is constantly evaluated regardless of a user’s location or network status. Zero trust can strengthen protection for resources, enable more stable cybersecurity investments, and accelerate mission outcomes. First, however, you need a foundational infrastructure designed to enforce unwavering security measures consistently and effectively.

For example, implementing strong identity and access management is essential. Systems need to be integrated with existing infrastructure to manage authorization and authentication effectively. Deployed infrastructure must be adaptable enough to continuously support and enforce ZTA principles. Zero trust solutions should be designed, hardened, and accredited to resist current and future threats.

Legacy systems and diverse IT environments pose daunting challenges for ZTA implementation. Even so, security teams can build greater awareness across agency environments. Four core architecture components can help you modernize your visibility and analytics capabilities on the path to a ZTA:

• Utilizing a data broker - There are billions of logs coming from hundreds to thousands of sensors across the organization’s infrastructure that need to be ingested into one or more analytic environments (e.g., security information and event management, or SIEM big data platforms) or automation tools (e.g., security orchestration, automation, and response, or SOAR). Data brokers efficiently move data from sensors to platforms using either a “publish-subscribe” model or “content-based routing” model. This prevents the need to send duplicate data from the sensors (i.e., producers) to multiple consumers.

• Real-time analytics - Many organizations search cybersecurity logs for threats using a SIEM, but few first apply real-time analytics to prepare log data for queries. Without this crucial step—data normalization and enrichment—they miss opportunities to reduce costs and redundancy in data processing. Logs from different vendors often hold similar information in different formats—and in that case, each needs its own logic for assessing the data. This is why all SIEMs can transform logs into a common format. The trouble is SIEMs are better at consuming data than they are at sharing it with other platforms. And you must pay for the SIEM to process all the sensor data to make it usable, even if it is better suited for other platforms. Moving the normalization outside of the SIEM to a real-time analytics platform puts the data into a common schema, allowing artificial intelligence and machine learning (AI/ML) or other analysis techniques to run once across all logs as they move through the data analytics pipeline, regardless of their original format. Using the “data broker,” this normalized and enriched data can be easily delivered to multiple platforms for consumption.
• Historical analytics - Not all threats can be identified via real-time analytics. For example, trend analysis is typically assessed over time to understand how a given user typically interacts with an environment. This type of analysis cannot be conducted by real-time analytics platforms but should be placed downstream from the normalization and real-time analytics. Placing it downstream reduces duplicative processing and provides similar context to the data as what SIEM analysts view. Historical analytic platforms should feed results back into the SIEM as that is what most analysts are familiar with.

• Distributive analytics - Most organizations are distributed in their application hosting and user interaction, making them a multi-hybrid cloud environment. Sensor data from these on-the-premises and multi-cloud environments needs to be consumed by the organization's analytic environments. The problem is all cloud service providers are happy to allow free ingest of consumer data, but as you try to send this data out of the environment it can become very costly. We highly suggest architecting a distributed analytic environment. There are multiple vendors that allow for local processing, and a centralized result-driven approach where analyst and operators don’t need to access multiple environments.

Federated agencies like DOE face unique challenges and requirements, especially in relation to data. Creating a data framework supports data quality and security across diverse operations by setting standardized protocols and practices for data management. The functions of data management include stewardship, development of data standards, and security and privacy compliance.

In addition to setting common data standards, formats, and definitions, data frameworks create consistency in how data is collected, stored, and interpreted across federated agencies. This standardization enables agencies to establish and maintain effective data systems that provide comprehensive awareness of data, operational needs, and advanced insights. Data frameworks make it easier to integrate and compare data from different sources, which supports interoperability. When agencies develop uniform data standards it makes it easier to understand and use shared data effectively. This, in turn, supports data adoption and scalability across the enterprise.

Understanding what data is important for federal agencies is crucial for aligning emerging technologies to mission outcomes. Knowing which data is essential allows agencies to focus technology efforts on areas that directly impact their strategic goals and operational needs. This understanding supports tech implementation that delivers maximum value for the mission.

When agencies identify and prioritize key data they can tailor the use of emerging technologies to process and analyze the data effectively. This alignment enhances actionable insights and supports decision making specific to mission outcomes and achieving broader mission goals.

The mission stack should be treated, in thought and in practice, as paramount to the tech stack, with the former serving as a guide to the latter. This arrangement puts mission first and ensures that technology aligns to an agency’s strategic goals and operational needs.

Using a mission-stack-first approach, agencies can make certain that technology is deployed to address specific challenges and enhance key functions rather than just chasing the latest tech trends. The tools and technologies that comprise the tech stack are important of course, but they are better considered as secondary to the broader goals of the mission. Focusing solely on the tech stack can lead to technologies being applied in ways that do not align to mission outcomes, resulting in inefficiencies and missed opportunities.

By prioritizing these considerations, agencies can ensure their technology investments are purposefully designed to enhance operational efficiency, support innovation, and address the unique challenges and priorities of the agency and its mission.