A Wake-Up Call for Federal Agencies: Why Executive Order M-21-31 Demands Urgent Action

By: Howard Levenson, Principal Data Advisor, August Schell

The August 2023 deadline is quickly approaching, and the mandates that M-21-31 demands will take more than simply handing it over to your IT guy or even the IT team. The reason why might not surprise you, but it should concern you.

M-21-31's over-arching scope is so significant and intertwined with an agency's network that adding a new application, or two, won't cut it. Not only will it take a variety of cooperating tools, but more importantly, it takes a level of integration expertise you won't commonly find in-house, and here's why.

The Office of Management and Budget (OMB) issued M-21-31 as a guidance to meet the President’s Executive Order on Improving the Nation’s Cybersecurity which was released in the Spring of 2021. As a building block, it is imperative to get it right. By looking at the scope of M-21-31, it is easy to see that an agency's infrastructure should be migrating to a data-centric model given this range in it’s scope:

• Developing a Zero Trust Architecture
• Acquiring multi-factor authentication and encryption for data
• Implementing an Endpoint Detection and Response solution
• Implementing a secure cloud environment from FedRAMP
• Establishing a comprehensive, centralized logging and analysis system
• Sharing cyber threat information with the Cybersecurity and Infrastructure Security Agency (CISA) and other federal entities

All of the requirements, individually, are achievable, but these aren't individual requirements. Instead, they are part of an overhaul that will impact virtually every aspect of your agency's network. Agencies will struggle with the scale and scope of the collection and retention requirements which are the real challenges of the mandate. What solves the pressing M-21-31 dilemma isn't a tool, service, or point solution. The only solution is a comprehensive plan executed by forward leaning integrators.

These boutique and experienced integrators are unburdened by the current IT workload at your agency and have the broad expertise to provide a roadmap to M-21-31 compliance immediately. In this effort they will first need to conduct a gap analysis. This process includes an assessment of your recent cybersecurity data logging and analysis capabilities to identify any gaps or deficiencies in your current systems and processes. The assessment would include a review of your current cybersecurity policies, procedures, and technologies and assessing your cybersecurity risk posture.

This analysis provides the data points needed to begin prioritizing requirements. At this stage, integrators would develop a comprehensive proposal that outlines the steps needed to address the identified gaps and deficiencies in your cybersecurity data logging and analysis capabilities. In addition, the proposal would include a detailed implementation plan, including timelines, milestones, and resource requirements.

Any good leader knows that an essential aspect of the development of a plan is to engage stakeholders. Therefore, the integrators would engage your agency’s key stakeholders in developing the proposal which would include senior leadership, IT personnel, and other relevant stakeholders. This type of collaborative engagement ensures the proposal is aligned with the agency's mission, goals, and priorities.

Any plan of this complexity may seem perfect at the time of its creation, but to ensure success, it is essential to refine and iterate the plan based on stakeholder feedback and evaluating the agency's cybersecurity data logging and analysis capabilities. The one thing all plans have in common is that, at some point, something in real life won't follow what you had anticipated. A well-developed plan has enough flexibility to account for the unexpected.

With a comprehensive plan in place, an integrator can also navigate an agency through the minefield of application overload. An experienced integrator can find a collection of software applications and platforms that will perfectly marry with your current infrastructure and each other. A function of the integrator is to provide the agency with recommendations for the expected software needs. At a minimum, an agency can expect to acquire the following tools:

1. SIEM Tool
2. Data Analytics and Visualization Software
3. Threat Intelligence Platform
4. Vulnerability Scanning SW
5. Incident Response and Management
6. Compliance Management SW
7. Cloud Security SW, Including IAM

Which ones do we need? At what stage are they implemented? Are they compatible with my network's configuration? These questions and a mountain of others need to be answered by August. If these answers aren’t already part of your organization's vocabulary, then it's probably time to bite the M-21-31 bullet and call in the experienced professionals. It’s not too late, yet.