SEWP Contract Guide
to use it instead of an agency’s more secure Wi-Fi network. The subsequent loss of visibility could present an opportunity for hackers to launch man-in-the-middle or Denial of Service attacks, to find users’ locations or to hijack devices in order to steal services or data.
A different approach
Defeating increasingly sophisticated threats to security requires a proactive posture and a Zero-Trust approach
in which an agency’s systems assume that no person or technology is trustworthy until it has been vetted.
“Zero Trust is not a device or specific product, but rather an approach to cybersecurity,” explains Michael Cappiello, senior federal inside solution architect at CDW·G. “The concept is that all users
and devices should be validated constantly, even those already within the network perimeter.”
In today’s environment, the critical issue is visibility. Endpoints — on desktops and laptops, smartphones and tablets — can connect to workloads in the cloud from virtually almost anywhere. As such, it is more critical than ever to always know what is connecting to your network. Newer technologies, such as next-generation endpoint detection and response (EDR), can improve visibility and take action once malware has infiltrated endpoint protection. Not only can they detect connected endpoints, these solutions are intelligent enough to understand what is normal and detect anomalies.
These technologies provide agencies with more control, as well. An old-style firewall may be able
to see traffic coming in from an IP address, for example, but newer firewalls can determine the type of
data contained within that traffic. Advanced solutions have more granular controls that allow agencies to specify what users can view and what should be prevented from entering the environment.
The variety of security solutions available to improve cyberdefenses can be overwhelming, and getting those products to work well together can be challenging. The key is understanding the current security posture, the desired improvement and a strategy for making it happen.
One way to acquire security products and services is through a proven federal contract vehicle like
SEWP that encompasses every aspect of security, from security assessments to next-generation threat prevention tools to technical support. SEWP carefully vets its contract holders, providing assurance to agencies
that they are working with security professionals who understand the federal technology market.
The vast array of cybersecurity tools available through the SEWP contract, CDW·G and proven vendors — along with installation services, technical support and extended service agreements — makes it possible for agencies to keep pace with changing security challenges.
FCW | CUSTOM REPORT
S-41
Changing Requirements
A growing array of security-related regulations is designed to help agencies protect their data and IT infrastructure effectively. Complying with the dozens of regulations for strengthening cyber readiness, managing access, securing data in transit, and preventing and delaying attackers can nonetheless be challenging. In addition to requirements and regulations from individual agencies, there are government-wide directives, including:
National Cyber Strategy: This 2018 directive advises agencies on the importance of securing federal networks, centralizing management and oversight, managing risk, aligning risk management and IT activities, securing critical infrastructure and modernizing electronic surveillance.
Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, issued in 2017, requires agencies to improve incident communication and coordination, explore new technology to reduce cyber risk, and enhance the resilience of the internet and communications against botnets and other automated, distributed threats.
NIST Cybersecurity Framework: Adoption of the NIST Cybersecurity Framework is optional yet highly encouraged. The framework’s five functions (Identify, Protect, Detect, Respond and Recover) include recommendations on standards, guidelines and practices.
CMMC: Aimed solely at Defense agencies, this standard will help agencies measure their current security positions and outline steps needed to advance to the next level. “As a longtime security practitioner, I think it’s a big step, because it will give them a path forward to raising their overall security posture,” says Steve Thamasett of CDW·G. “It will allow them to tend to the forest as opposed to focusing on individual trees, which is the way things have traditionally been done.”