ATARC Publishes Cybersecurity Posture Guidance for State & Local Agencies

The Advanced Technology Academic Research Center (ATARC) published its intermediate level document providing guidance to state and local agencies using the Cybersecurity & Infrastructure Security Agency (CISA) Zero Trust Architecture (ZTA) model as a foundation. This document is a must-read for all state and local agencies, particularly those who are interested in pursuing any of the $1 billion in federal cybersecurity grant money over the next few years. Grant submissions get approved by CISA and using their ZTA guidance will certainly strengthen those packages.

The ATARC paper discusses the benefits of ZTA, which is a driving factor across the US government today. Across the five pillars of CISA’s ZTA model (Identity, Devices, Networks, Applications and Workloads, and Data) are three capabilities: Visibility and Analytics, Automation and Orchestration, and Governance. As the paper indicates, governance drives the needs for full visibility and application programming interfaces (APIs) were specifically addressed: “Strong API security should provide visibility to enable CISOs to identify their data sets and the movement of data as well as known and unknown APIs active in their ecosystems.” ¹

Without visibility into your APIs, how can you truly address the Applications and Workloads pillar? And can you really protect your data? As we’ve seen recently, APIs present vulnerabilities that hardware alone cannot address (see our blog on the MOVEit attack which leveraged APIs). Targeted attacks against US government agencies and critical infrastructure will continue. State and local agencies are certainly not immune from this activity though. They are often targeted as either an end goal or as a means to gain access to other agencies.

Regardless of the variety of hardware, software, datasets, etc. found throughout agencies across the country, the common denominator for communications are APIs. One of the most cost-effective means to improve network security is by adding dedicated API security. The Noname platform is the only hardened virtual appliance specifically designed to support government agencies. It provides the visibility and documentation needed for a strong governance program, it uses machine learning to continuously monitor networks for anomalous behavior (identifying issues like MOVEit before they become problematic), it provides guidance to mitigate issues easing the burden on limited personnel resources, and it helps build security into APIs before they go into production.

The recent MOVEit attack and last year’s Spring4Shell vulnerability highlight the security shortfalls that hardware alone present. These attacks will not go away any time soon. Do you want to be that agency who realizes months or years later that the enemy has been inside the gates? Or do you want to have a program to help you identify issues early? The federal cybersecurity grant money can certainly be used to help enhance your API security in alignment with CISA guidance. We’re here to help and will do everything we can to protect your environment.

¹ ATARC report p5