Cybersecurity has steadily crept up the agenda of governments across the globe. This has led to initiatives designed to address cybersecurity issues that threaten individuals and organizations.
“Government-led cybersecurity initiatives are critical to addressing cybersecurity issues such as destructive attacks, massive data breaches, poor security posture, and attacks on critical infrastructure,” Steve Turner, security and risk analyst at Forrester, tells CSO. “These initiatives provide consistent guidance on how organizations and consumers can protect themselves, provide services to companies that don’t have the knowledge or monetary means to protect themselves, legislative levers that can be utilized, means of taking offensive actions against nation state adversaries, and most of all investigation of significant cyber incidents paired with critical information sharing during or after those incidents.”
Here are some of the most notable cybersecurity initiatives introduced by governments around the world in 2021:
US Department of Defense publishes Cybersecurity Maturity Model Certification
In January, the US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC reviews and combines various cybersecurity standards and best practices, mapping controls and processes across several maturity levels that range from basic to advanced cyber hygiene.
“For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats,” reads the Office of the Under Secretary of Defense for Acquisition & Sustainment website. “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” The CMMC is designed to be cost-effective and affordable for all organizations, with authorized and accredited CMMC third parties conducting assessments and issuing CMMC certificates to DIB companies at the appropriate level.
For Tom Brennan, CIO at Mandelbaum Barrett P.C. and US chairman of CREST, the CMMC is perhaps the most important government cybersecurity initiative of 2021 in the US. “For a long time, the DoD has told DIB contractors that they have to comply with NIST standards, but there has been zero accreditation, enforcement, or audit associated with this particular control, and it has failed miserably,” he tells CSO. The CMMC is so important because it involves legal assessments to test that government contractors are doing what they say they are from a security standpoint, and if they fail to meet CMMC requirements, they will lose their contracts, he says.
“If you’re going to be looking for new DoD contracts, those contacts will clearly state a company must be CMMC level 1, 2, 3, 4, or 5 compliant (depending on the level of maturity needed for the project) prior to undertaking new contracts.” The CMMC is also becoming of greater interest to the cybersecurity industry because a lot of audit firms and service providers realize this is a cash cow, Brennan says.
Spanish government commits €450 million to cybersecurity industry, opens Hacker Academy
In April, Spain’s state secretary for digitalization and artificial intelligence, Carme Artigas, revealed that the Spanish government would invest more than €450 million over a three-year period to boost the country’s cybersecurity sector. Artigas also announced the opening of an online Hacker Academy for Spanish residents aged 14 and over to train and attract talent. The training initiative was developed to run between May 3 and June 25 in an online format, featuring hundreds of participants competing in cybersecurity challenges.
The National Cybersecurity Institute (INCIBE) will oversee a new strategic plan for the cybersecurity spending, addressing three key pillars of boosting the business ecosystem of the sector and attracting talent, strengthening the cybersecurity of individuals, SMEs and professionals, and consolidating Spain as an international cybersecurity hub.
US government announces ambitious cybersecurity executive order
In May, the Biden administration announced a bold cybersecurity executive order to chart a “new course to improve the nation’s cybersecurity and protect federal government networks.” The document came in the wake of significant supply chain attacks on SolarWinds and Microsoft, along with the ransomware attack on Colonial Pipeline.
The executive order is designed to minimize the frequency and impact of such incidents, setting out a series of proposals for bolstering cybersecurity within federal agencies, including:
- Removing barriers to threat information sharing between government and the private sector
- Modernizing and implementing stronger cybersecurity standards in the federal government
- Improving software supply chain security
- Establishing a cybersecurity safety review board
- Improving detection, investigative and remediation capabilities around cybersecurity incidents.
“The cybersecurity executive order rapidly requires agencies to modernize their security posture through the introduction of zero trust architecture, enhanced technology procurement, develop requirement for a software bill of materials (SBOM), movement to the cloud, and so much more,” Turner says. “This is going to have extensive downstream impacts to other countries and organizations since it will force many vendors and companies that do business with the government to have specific security practices in place as well as have specific data on hand that other organizations will be able to tap into.”
Australian government introduces Critical Infrastructure Uplift Program
In May, the Australian government introduced the Critical Infrastructure Uplift Program (CI-UP) to identify and resolve vulnerabilities in critical infrastructure, helping providers to raise their cybersecurity maturity through evaluating their existing security program and implementing recommended risk mitigation strategies. The modular cybersecurity program is open to critical infrastructure entities that are ACSC partners and is designed to:
- Evaluate cybersecurity maturity of critical infrastructure and systems of national significance using a combination of the Cyber Security Capability and Maturity Model (C2M2) and Essential 8 maturity models
- Deliver prioritized vulnerability and risk mitigation strategies
- Assist partners to implement the recommended risk mitigation strategies
“With the rise in attacks on critical infrastructure such as electrical grids and pipelines, this is such a critical service to helping rapidly increase the security posture of these entities,” says Turner.