The document outlines seven essential cybersecurity hygiene steps for government organizations following the White House's Cyber National Action Plan, emphasizing the need for stronger identification methods, system patching, and employee education. It highlights the importance of data classification, encryption, and incident response simulations to protect sensitive information. Ultimately, these strategies form part of a broader commitment to enhancing cybersecurity across the public sector.

1. 7 Steps to
Basic Cybersecurity
Hygiene for Government

2. 1 THE INSIDER’S GUIDE TO CYBERSECURITY FOR GOVERNMENT
Recently, the White House announced the
Cyber National Action Plan (CNAP), a $19
billion commitment to enhance cybersecurity
awareness and protections throughout the
public sector.
To reflect this urgent shift towards more secure
government information and systems, there
are a number of basic hygiene strategies that
government organizations can employ now.
These seven steps are a starting point
to enabling strong cyber hygiene and
up-to-date cybersecurity practices for
the entire organization.

3. Understanding what data needs to be
protected allows your organization to plan
for stronger security measures and access
controls for certain types of information.
This is part of a larger data security
strategy that outlines tiered access and
manages user rights as well. Proper data
classification determines the criticality
of data sets and helps to align proper
processes for handling.
Identify critical dataSTEP 01

4. President Obama’s recent CNAP
announcements emphasized the need
to shift away from vulnerable cybersecurity
basics like passwords towards more secure
forms of identification such as multi-factor
authentication.
Today, new methods are being developed
to leverage more flexible derived credentials.
In these new models, asymmetric key
pairs—rather than string comparisons, like
passwords—are used, and hardware can
secure key material even further.STEP 02
Emphasize multi-factor,
strong identification

5. Patching critical systems and maintaining
their health is vital to protecting agency
information, as newer patched systems
are more secure. And, whenever possible,
agencies should move toward more
standardized and automated processes
to decrease the time necessary to
manage incidents.
STEP 03
Patch systems and
automated processes

6. The right security policies can go a long
way to keeping data safe. Establishing
information rights management rules and
data loss protection procedures are two
basic hygiene measures that are critical for
government agencies. In addition, agency
data should be fundamentally segmented
from employees’ personal information to
prevent vulnerability and leaks.
Prevent data leakageSTEP 04

7. Part of preventing leaks requires instructing
employees on the best practices to follow
when working in email, on social media, or
with outside systems. Often, employees (at
all levels) in the public sector don’t recognize
that they’re potentially compromising
sensitive information with un-hygienic cyber
behavior, so it’s important to emphasize this
throughout all levels of the organization.
An educated workforce is a core part of
the CNAP initiatives, and $62 million will
be dedicated to help attract cybersecurity
talent to the public sector.
STEP 05 Teach good hygiene
at all levels

8. Sensitive information and certificates
need to be protected at all times. Secure
transport protocols such as IPsec and
SSL/TLS can be enabled between devices,
VPNs, virtual machines and datacenters.
Government organizations can encrypt
keys with the high-level protection of
compliant hardware security modules.
For data at rest, FIPS 140-2–compliant
AES 256 symmetric SQL transparent data
encryption and other options are available,
depending on organizational needs.
STEP 06
Encrypt data at rest
and in motion

9. Simulating a breach when there
are significant changes to the IT
environment means you’ll discover where
you need stronger defenses and where
your organization is well protected from
attackers. As a part of CNAP, the Obama
administration will draw up a new Cyber
Incident Response Framework by spring
2016 to change the way government
agencies respond to cyber incidents.
Employing trustworthy technology
and mandatory software development
is a critical step towards ensuring your
organization’s security technology
evolves as cyber technology does.
STEP 07
Perform real world
breach simulations

10. These steps are just the beginning of
best practices cybersecurity that keep
government agencies secure. There
are more considerations beyond basic
hygiene that need to be considered,
including compliance.
How does your agency measure up?
Read The Insider’s Guide to Cybersecurity
for Government to find out.
http://aka.ms/govcybersecurityguide
Get the eBook
The Insider's Guide to
Cybersecurity
For Government

11. All rights reserved. This document is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This document
is provided “as-is.” Information and views expressed in this document, including URL
and other Internet website references, may change without notice.
This document does not provide you with any legal rights to any intellectual property
in any Microsoft product. You may copy and use this document for your internal,
reference purposes. ©2016 Microsoft Corporation.
microsoft.com