In the first of four blogs regarding GuidePoint Security’s guidance for how Federal Agencies can best respond to the President’s EO, we focused on what steps to take to prepare to respond to reporting to DHS/OMB in 90 days. This second blog is about how to boost an agency’s compliance and risk scoring for the report within the short 90 day window.

Here are five product types (not OEMs) that should be a quick hit for government agencies to deploy and show value in security posture before issuing their NIST report to DHS/OMB in 90 days. By quick hit, it is meant that these solutions are the quickest to deploy and show value in security posture. As would be expected, the first two are SaaS based, making them easiest to deploy and to get up and running.

  • IDaaS for SSO/MFA deployment (SaaS based)
  • CASB (SaaS based) -Threat Intelligence Management platform
  • Privileged Access Management
  • Vulnerability prioritization

These solutions are not about highest value in security posture, although some of them do significantly move an agency’s security posture. The point is meeting the compliance standards of NIST for the 90 day reporting deadline.

IDaaS (Protect, Detect)

IDaaS adds identity access functionality, most importantly, Single-SignOn (SSO) and Multi-Factor Authentication (MFA). Adding a cloud based solution to an organization’s infrastructure is usually a quick deployment saving time and providing value.

SSO eliminates outliers for authentication. This can come in the form of cloud (SaaS and IaaS/PaaS) and legacy applications. Typically, cloud solutions like ServiceNow, AWS, and SalesForce are not well integrated with on-prem IdAM core functionality. This leaves gaps in password management and logging and alerting on activity users have with these sanctioned applications.

Okta “Multi-Factor setup for IDaaS SSO”

In addition, most large enterprises like government agencies have legacy applications that require a second username and password after core IdAM login like Active Directory (AD). Similar to cloud applications, these legacy applications lack integration with core IdAM leaving gaps in password management and logging as well. By bringing these legacy applications into a SSO implementation for password management and logging, better security for these applications can be maintained.

Finally, and probably most importantly, IDaaS allows for easy to use MFA typically using smart phone codes or push notifications. We have seen these types of solutions implemented in days, rather than weeks or months from legacy token based MFA solutions. This type of MFA also offers a much lower Total Cost of Ownership (TCO) both being less to buy and maintain.

CASB (Protect, Detect, Respond)

Cloud Access Security Brokers (CASB) are hot and for good reason. The main three functions that a CASB can add to an agencies security infrastructure are centralized sanctioned cloud policy management, significantly improved sanctioned cloud logging and un-sanctioned cloud visibility. There are many more functions that a CASB can add, however these three are easy to deploy, get working, and show value.

Again, a significant feature here is SaaS deployment that significantly improves deployment speed and simplicity. In a matter of days or weeks, a government agency can show cloud policy lockdown, cloud activity logging to their SIEM and a significant improvement in locking down un-sanctioned or ShadowIT activity.

SkyHigh Networks “Cloud security posture status main console”

The only way for an organization to understand the impact a CASB has on sanctioned cloud usage such as O365, ServiceNow, SalesForce, AWS, etc. is for them to see it themselves.

Threat Intelligence Management Platform (Detect, Respond)

A threat intelligence management platform correlates, dedups and distributes threat intelligence throughout the security infrastructure. A quality threat platform will integrate with core products like Splunk, LogRythm, and Qradar as well as nearly every type of security product from network, end point, analytics and more.

Anomali “Threat Intelligence Management Platform example”

Built in integration with already purchased licenses for threat intelligence and ingestion from SIEMs, these products allow for threat intelligence to be enriched by each other’s information and ensure that the entire security infrastructure stays informed of the latest threat and attacker information. This can significantly boost an agency’s scoring in the NIST framework in the Detect category framework and is not very complicated to deploy and get working.

Privilege Access Management (Protect, Detect, Respond)

In the Civilian space, CDM’s award for Privilege Access Management has brought the solution front and center, but roll out is still not moving fast enough to cover enough agencies. Deploying this solution immediately improves an agency’s security posture due to the common theme in most incidents involving administrator access to data.

These solutions take away direct access to administrator credentials and make privileged users “check-out” administrative credentials for daily use. This prevents user account compromise from directly giving adversary access and also adds a logging mechanism for administrative activities. This can significantly prevent, delay or provide an early warning for an attack in progress.

Vulnerability Prioritization and Risk Scoring (Identify, Protect, Detect, Respond)

In the first blog about the President’s EO, it was mentioned that a Network Vulnerability Management tool could help map vulnerabilities to the network and help risk score the environment. This helps prioritize highly dangerous vulnerabilities and in some cases, reduce the urgency of patching for other vulnerabilities.

In addition, there are other vulnerability risk scoring platforms that can additionally add context to what exploits are actively in use and under attack. Again, the goal is to prioritize the most important vulnerabilities for urgent patching and mitigation. By combining threat intelligence on current attacker activities, this solution can be the difference between patching an exploit on SMBv1 first vs an exploit that is not currently in active use second.

These five solutions may not be the best next step from a pure security architecture, depending on the agencies maturity and current architecture, but any one of them could be deployed inside the 90 day window if a purchase can be fast tracked and an agency can get the product in the door quickly. GuidePoint Security has the ability to augment the services needed to get any one of these solutions up and running. For more information about how to execute any of these solutions as soon as possible, contact GuidePoint Security at

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.