Microsoft expands on cybersecurity commitments for U.S. government agencies
Fostering U.S. economic growth and prosperity hinges on our collective ability to create a safer world. Microsoft CEO Satya Nadella recently met with President Biden, cabinet officials, educational institutions, and top executives from some of the largest tech, financial services, insurance, and energy companies to address the critical challenge of cybersecurity. As the White House announced following the meeting, the Administration has called for public and private sectors to share tools and best practices and — together — raise the security posture of the country.
As part of our commitment to enhancing cybersecurity across the U.S., we are detailing a series of actions Microsoft is taking to support federal, state, and local governments, and partnerships we’re forging with federal agencies to share critical information and develop cybersecurity best practices.
Investing in our shared cyber responsibility to modernize, secure, and defend
Microsoft recognizes that the technology sector bears a great responsibility for securing our nation’s critical assets. This is why Microsoft has committed to investing in people and technology to advance the tools, practices, and services Microsoft provides to customers.
As the White House announced, Microsoft will immediately provide $150 million in technical services to help federal, state, and local governments upgrade security protection. This funding extends Microsoft FastTrack program support to help agencies modernize and establish Zero Trust controls that will raise the security baseline for government agencies. Of the $150M, $50M will be invested to provide Federal agencies with modernization assistance to help secure applications and servers by replacing vulnerable legacy infrastructure with cloud infrastructure that is always patched and up to date.
Microsoft’s investments aim to help agencies more quickly and effectively deploy modern applications and infrastructure that incorporate Zero Trust architectures and include additional built-in security capabilities such as Microsoft 365 Defender, Microsoft Information Protection, and Azure Security Center. We are ready now to help government modernize, secure, and defend their digital estate using established best practices and cloud security capabilities based on insights from our own journey toward Zero Trust and decades of experience helping federal agencies.
Collaborating to accelerate technical innovation
To adequately address software supply chain security, we also believe it’s essential to continue to work with the open-source community, in open standards forums, and with widely used platforms to address ecosystem-wide variability and help scale implementation.
At the White House, we reiterated our commitment to working with National Institute of Standards and Technology (NIST) to advance a common and open industry framework for ensuring end-to-end supply chain security, integrity, quality, and provenance. With President Biden’s May 12 Executive Order as a catalyst, Microsoft developed our Supply Chain Integrity Model (SCIM), which enables automated verification of supply chain security policies, artifacts, and evidence for all product types, including software, machine learning datasets, and hardware. To help standardize SCIM, we’ve made information available publicly through NIST and GitHub and engaged with industry partners through the Open Source Security Foundation (OpenSSF) to create ecosystem-wide solutions for supply chain security.
Separately, Microsoft is working with NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture Project. This work focuses on developing practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture [1].
Lastly, we are using our existing GitHub and Microsoft Visual Studio capabilities and developer tools for software testing and dependency tracking to enable trustworthy software development practices.
Facilitating more seamless information sharing
No single agency or company can address our nation’s cyber security challenge alone, which is why Microsoft has long been a believer in partnering with agencies to share threat information in the interest of national defense.
Microsoft recently agreed to become an Alliance Partner in the new Joint Cyber Defense Collaborative (JCDC) established by Cybersecurity & Infrastructure Security Agency (CISA) to promote resilience and strengthen cyber defense. We’re also taking several further steps to help defend our nation’s cybersecurity, providing federal agencies targeted or compromised by a nation-state actor with notifications and enhanced reporting to CISA from our Digital Security Unit.
Addressing the skills gap through training and resources
Our nation is facing a cybersecurity talent crisis with nearly 500,000 unfilled cybersecurity jobs today. Microsoft committed at the White House to expand partnerships with community colleges and non-profits for cybersecurity training to help the workforce keep pace with in-demand skills.
We are also dedicated to providing agencies actionable insights and tools to accelerate modernization and help cyber professionals stay ahead of sophisticated adversaries. Microsoft has launched a free repository of educational resources to address the critical cybersecurity shortage and gaps. There, agencies can access government-specific training, Learning Paths, workshops, certifications, and reference architectures like our Zero Trust Scenario Architectures mapped to NIST standards[2].
Doing our part in a whole-of-nation effort
The steps detailed above for government agencies are part of a broader commitment to establish cybersecurity at the heart of everything we do. This includes investing $20 billion over the next five years to accelerate improved cybersecurity outcomes for all of our customers by integrating cybersecurity by design and delivering advanced security solutions. We believe that close collaboration with industry and government is essential to helping modernize and secure the critical assets upon which the American people rely. For more information on Microsoft’s commitments and additional resources on how to increase cyber resilience, visit our Cyber EO resource center.
[1] – Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (NIST Special Publication 800-207). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
[2] – Microsoft. (2021). Executive order on improving the nation’s cybersecurity: Reference architectures for common Zero Trust scenarios. Microsoft Security. https://raw.githubusercontent.com/microsoft/MSUS-Security-Research/cyber-eo/Federal%20Zero%20Trust%20Scenarios.pdf
