Key Terms to Know for Cybersecurity Careers in the Federal Government

Working in the United States Federal Government, especially in Cybersecurity, can be very challenging for people unfamiliar with the various acronyms and terms frequently used in the space. 

These acronyms and terms are used because many Federal Agencies have long program or mandate titles. For example, the acronym HIPAA stands for Health Insurance Portability and Accountability Act.

To assist people interested in pursuing a Cybersecurity career in the Federal Government, CIAT.Edu has several blogs that can help with many of the Federal Government’s Cybersecurity acronyms and Data Analytics terms:

• What Are The Various Federal Security Clearances?
• What is the Role of a Certified Ethical Hacker in the Federal Government?
• What is FedRAMP?

CIAT.Edu also offers multiple programs that can prepare students for Cybersecurity or Data Analytics careers in the Federal Government:

• Applied for Bachelor’s Degree in Computer Information Systems–Cybersecurity Concentration
• Applied for Bachelor’s Degree in Software Development–Data Analytics Concentration
• Certified Ethical Hacker (CEH) Certification–CEH–V11

This article helps highlight the most common Federal Cybersecurity terms, privacy mandates, and architectures all students should know before applying to any Federal Government position.

What are the Key Cybersecurity Terms in the Federal Space?

Everyone studying Computer Science, Data Analytics, and Cybersecurity should become familiar with the critical terms widely used within the Federal Government. These terms and acronyms are often used in reports, budget meetings, and in dealing with external and internal cyber threats.

These terms include:

• Risk: Risks are the potential harm or loss of data, personal, or government materials.
• Asset and Informational Assets: Assets or Informational Assets are high-priority physical or logical systems within the Federal Government.
• Threats: Threats are considered events or expected actions by adversaries against U.S. Government personnel, resources, assets, and materials. 
• Threat Sources: Threat sources are the expected or unsuspected adversaries behind the threat.
• Vulnerability: A vulnerability is a possible exploitable, personal, or material system within the U.S. Government. Vulnerabilities follow CVE scoring to determine risk level before becoming exploited.
• Controls: Controls refer to a physical, logical, or cyber-related control for protection, monitoring, and response to a threat, vulnerability, or intrusion.
• Likelihood: Likelihood is a critical first step in the risk scenario workflow (Asset-Threat-Vulnerability), and the likelihood score is based on the expected impact of the event.

Under the Defense Federal Acquisition Regulation Supplement (DFARS), additional vital terms all students should know include:

• Compromise: Defined as possible information theft or data exposure from unauthorized personnel.
• Cyber Incident: Defined as an actual threat executed with technology, not humans, resulting in the exploitation of a system or data exfiltration.
• Covered Defense Information: Refers to a data classification based on sending data to third-parties, including a defense contractor or approved foreign country.

These binding terms are often referenced with the Federal Government’s pillar strategy provided by the U.S. Department of Defense (DoD) and various security analysts who define risks. These pillars establish mandates and frameworks to protect the multiple data and network systems with a unified approach.

What are the 4 Pillars of Cybersecurity in the Federal Government?

Secure-by-design principles would be mandated under the proposed rules, using security frameworks developed by the National Institute of Standards and Technology (NIST). 

The U.S. Department of Defense often provides specifics to the public about the Four Pillars and how they align with the overall Federal Government National Security Systems protection strategy.

These pillars include:

• Defend Critical Infrastructure specific to SaaS platforms and cloud services (FedRamp)
• Disrupt cyber terrorism activities through offensive and counter-offensive hacking operations (CHE)
• Compel the private industry and technology companies to develop more residence solutions to protect U.S Government and private sector data (NIST)
• Invest in programs like the ones offered at CIAT.Edu to help with the job shortage in the Computer Science, Data Analytics, and Cybersecurity fields

Which Department in the Federal Government Handles Cybersecurity Strategy?

DHS

The Department of Homeland Security and its components promote cybersecurity resilience nationwide, investigate potential cyber threats, and safeguard cybersecurity along with democratic values and principles.

CISA 

The Cybersecurity and Infrastructure Security Agency (CISA) has developed a playbook, per the direction of Executive Order 14028, Section 6, to facilitate better plans and responses to cybersecurity incidents and vulnerabilities in Federal Civilian Executive Branch Information Systems.

NIST

The National Institute of Standards and Technology (NIST) falls under the Department of Commerce. This agency creates several technology and cybersecurity standards for the Federal Government to unify. It mandated most Federal Government agencies to align with NIST standards.

Several government agencies developed security standards and policies. NIST unified the Federal Government with proven industry frameworks, architectures, and procedures to meet regulatory mandates. Non-government organizations also leveraged the NIST framework. Complying with NIST-800-53 also helped the organization streamline its governance requirements for PCI-DSS, HIPAA, and CCPA.

By understanding the laws and regulations governed by the Federal Government, students will see the critical importance of the various agencies’ frameworks needed to ensure the networks and data stay protected. 

What are the Three Main Federal Cybersecurity Laws and Regulations?

The Computer Fraud and Abuse Act (CFAA) 

This is the primary statutory law for prosecuting cybercrime, such as hacking and extortionate crimes, like ransomware. It offers criminal and civil penalties, with the illegal range extending from 10 to 20 years imprisonment for aggravated offenses. 

The Electronic Communications Protection Act (ECPA)

The ECPA protects communications in transit and storage. The Stored Communications Act (Title II of the ECPA) states that it is a crime to access a facility offering an electronic communications service without authorization or exceeding such rights. Violations are punishable, with up to 10 years in jail, if done on purpose.

The Wiretap Act (Title I of the ECPA) 

The Wiretap Act also forbids intercepting electronic communication and carries various exceptions for law enforcement, employer-based services, and service providers under some circumstances.

The Economic Espionage Act of 1996, Defend Trade Secrets Act of 2016, and Wire Fraud statute impose penalties for unlawfully retrieving private intellectual property or proprietary information from trade secrets sources and economically motivated frauds committed through telephone wire systems.

Knowledge for Today and in the Future

Many Federal departments have overlapping cybersecurity strategies. Some departments created cybersecurity standards and procedures to meet their needs. 

With the adoption of NIST-800 as the standard for all Federal departments and agencies to align with, the unification of cybersecurity processes and strategy has become more realistic. Agencies like DHS, CISA, and NIST help define a strategy for the Federal Government and the private sector.

We encourage students looking to join the cybersecurity community supporting the Federal Government to familiarize themselves with terminology frequently used in the space and attend programs at CIAT.Edu to learn the foundation of Computer Science, Cloud Security, and Data Analytics. These domains are used within the Federal Government along with, of course, Cybersecurity.