What’s Next for Government Security, Compliance [Commentary] As 2017 approaches, organizations and businesses may look back at 2016 as the most defining year to date for cybersecurity and countermeasures. The growing number of threats to organizations include vulnerabilities from social media, emerging internet of things (IoT) issues and enhanced compliance requirements. Mobile is being surpassed as a descriptive media as more offensive attacks focus on the application weaknesses like the recent Dyn attacks that shut down Twitter, among other sites. There is no such thing as ‘impenetrable defense’ no matter how “compliant” an organization may be in using cybersecurity best practices. Recent regulatory requirements coming out of the government indicate that system and information cybersecurity and appropriate controls and countermeasures are high priorities. For many contractors, especially small and mid-sized businesses, the FAR and DFARS requirements for controlled unclassified information (CUI) will be top-of-mind in 2017; however, depending on the complexity of enterprise missions, this should already be underway. The CUI compliance standard, National Institute of Standards and Technology Special Publication 800-171, Rev. 1, is now a crucial priority for many federal contractors desiring to be competitive in the acquisition and performance process. IoT in the spotlight In 2016, internet of things applications and business processes focused on more extensive demonstrations such as hacking into cars, thermostats and other consumer devices and expounding on the need for security at the homefront. Unforeseen vulnerabilities to the existing network infrastructure may be more in the engineered design than the application of IoT. Thinking about IoT and the countermeasures also pushes individual organizations and government agencies to review and think about systems engineering. NIST SP 800-160 will likely come to greater emphasis as the application of IT gains momentum. One of the challenges with securing IoT devices is that, by default, they are open and communicate with a broad and interconnected ecosystem. While convenient for users and apt to offer new productivity and revenue gains, IoT requires new thinking across the enterprise in order to be comprehensive and in light of CUI compliance required with the transaction reporting and communication of devices — and resulting information — on the network and stored within the systems. What we will likely see in 2017 are significant advances in decentralized IoT security focused on gateways in the “fog” of the environment. It is also likely emerging best practices in how IoT is operationalized and managed from an enterprise perspective will be complicated by advances in the use of IoT gathered data in marketing. Secondary impacts in 2017 on IoT will likely be from associated business technology changes such as artificial intelligence and subsequent automated decisions along with blockchain piloting in new financial and administrative processes. Blockchain removes intermediaries and impacts security in new ways, affecting information flow. CUI compliance under a looming deadline While there are many mandates that have driven governmentwide changes in the federal marketplace, the most notable mandates to watch are the federal acquisition requirements (FAR) and defense federal acquisition regulations (DFARS) compliance requirements related to CUI and Controlled Technical Information (CTI). CUI compliance is mandated by December 2017 or within 90 days of a contract award. CUI provides a standardized approach through 14 security control families of raising the overall cybersecurity practices of federal contractors. This proactive approach of mandating standardized CUI protections implemented through acquisition regulations creates both an opportunity and challenge for all parties. The information supply chain risks and the burden of execution on government contractors, federal prime and subcontractors should not be underestimated. CEOs should look to adopt malleable strategies to address the tensions of competing priorities and limited resources. Although many companies have delayed addressing CUI until early 2017, the numerous basic and derived requirements make compliance on a constrained deadline a riskier proposition. Calendar year 2017 will likely see CUI and cybersecurity improvements across all federal contractors — some proactive, some reactive. However, compliance before the established deadline will likely be a huge measure of reporting by corporate boards and government CIOs as information protections are mapped and measured. Does cyber insurance help? Without a doubt, cyber insurance will grow in availability, complexity and cost as the demand for an “add-on” risk-mitigation strategy will peak in 2017. However, as insurance companies seek to decrease their potential losses, it is likely insurance carriers will begin to delve further into the policy, procedure and vetting processes both before the application process and after any incident of record. As a result, many CEOs will need to rethink their due diligence strategies as cyber insurance may not be enough to mitigate the company’s liabilities in case of a security incident in which no supporting evidence of best practice exists. Insurance companies may also be expected to make businesses that are non-compliant with known cyber practices and standards pay higher premiums or even deny them coverage. The new year takeaway Undoubtedly, 2017 will be a terrific year for cloud solutions, cybersecurity practices and engineering as the implementation of newer technologies require thoughtful planning for systems-of-systems and the countermeasures required for incident response and demanded by due diligence and compliance. Discussions and concerns related to data privacy and personally identifiable information (PII) take a bit of a back seat as we focus on new transaction capabilities — everywhere except with our global partner, Europe. Organizations should begin to incorporate and retain experienced outside expertise in the areas of legal affairs, PR and compliance or security audits to help as a countermeasure to breaches, threats, and potential liabilities of compliance. In many ways, ad hoc or monthly retainer experts will be more effective and less costly for many small- and medium-sized businesses. Maria Horton founded EmeSec in 2003 after retiring from two decades as a Navy officer, where she rose to the rank of commander. Her last assignment was CIO for Bethesda Naval Hospital, now known as Walter Reed. As a hands-on cybersecurity expert, she grew EmeSec to become a leading provider of cloud security and engineering services for the government and private sectors and a third-party assessment organization under the FedRAMP program.