Fortifying digital defenses: Cybersecurity in the federal government

In this guide

• Government’s cybersecurity
• Federal agencies
• Laws and standards
• Employment in the federal gov
• Related resources
• Frequently asked questions

The headlines in early 2025 have served as a stark reminder: the U.S. government remains a prime target in the digital domain.

Recent incidents, such as the breaches at the Treasury Department and the compromise of telecommunications providers, paint a clear picture of the sophisticated and persistent cyber threats facing federal agencies.

This article will dissect these key incidents and explore the overarching cybersecurity trends shaping the government’s defensive strategies in a high-stakes digital environment.

Related resources

• CISA certification: A complete guide
• Your roadmap for finding the right cybersecurity job
• How to get a security clearance: Understanding the process
• An interview with Christopher Mitchiner
• An interview with Barbara Endicott-Popovsky

Imagine the potential fallout: classified intelligence falling into the wrong hands, critical infrastructure grinding to a halt, or sensitive citizen data being compromised.

These are not imagined threats; they are the genuine dangers embedded within our digital interactions.

The U.S. government, a treasure trove of valuable data and a critical engine of national operations, is a prime target for a diverse range of adversaries. These include:

• Nation-State Actors: Sophisticated and well-funded groups backed by foreign governments, often seeking to steal classified information, disrupt operations, or conduct espionage.
• Cybercriminal Organizations: Financially motivated groups aiming to extort the government through ransomware attacks or steal sensitive data for profit.
• Hacktivists: Individuals or groups driven by political or ideological motives, seeking to disrupt government activities or leak information.
• Insider Threats: Individuals within government agencies, whether intentionally malicious or unintentionally negligent, who can compromise security.

US federal government’s cybersecurity 

Disasters notwithstanding, it would be unfair to say that the federal government has been taking no action to combat cyber threats. The struggles the US faces in cyber are not for a lack of trying.

The difficulty seems to be one of speed and agility. The government can only move so quickly. The bad guys, in contrast, can pivot very rapidly from one threat vector to another.

Indeed, the US federal government employs thousands of people in cybersecurity roles across multiple departments, the military, and the intelligence sector. These highly trained professionals are motivated and sworn to defend the United States against all enemies. They are working to mitigate the massive cyber risks this society faces.

Government entities, standards bodies, and private companies are involved in the effort. There are laws and policies similarly aimed at reducing cyber risk. The following presents some of the highlights. 

Federal agencies

The federal government works on cyber defense across a variety of agencies. The National Security Agency (NSA) is among the most prominent, but least well understood. They are involved in intercepting foreign cyberattacks while also engaging in offensive cyber programs against our enemies.

The NSA has been criticized for keeping cyber vulnerabilities secret so they can use them to attack others, but leaving American computers exposed. 

They are starting to change this practice. In early 2020, for example, the agency made headlines for notifying Microsoft of a vulnerability in Windows 10, rather than holding the vulnerability back for their purposes.

The NSA discovery also triggered an emergency notification by the Cybersecurity and Infrastructure Security Agency (CISA) to federal agencies to remediate the Windows problem as quickly as possible—a good example of how federal cyber defense can work when everyone is doing their jobs. 

CISA, which is part of the Department of Homeland Security (DHS), functions as the main cyber risk advisor to the United States. They focus primarily on securing federal networks and digital critical infrastructure, like power plants and dams, but the CISA also finds itself in the lead on many other national cybersecurity efforts.

CISA is a new agency, formed in 2018 through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed by President Trump. CISA is a continuation of several predecessor agencies, some of which were already operating inside DHS. 

The CISA does not work alone. Rather, it has many partners across the government as well as in private industry and the non-profit sector.

The agency works closely with industry groups that coordinate security and policies in the electrical power sector, nuclear plants, chemical plants, and so forth. This includes the North American Electric Reliability Corporation (NERC).

This organization’s Critical Infrastructure Protection Standards (NERC-CIP) form the core of countermeasures to protect the American electrical grid.

CISA departments include the National Risk Management Center (NRMC), which is a planning, analysis, and collaboration center for identifying and addressing critical infrastructure risks. They also run the Emergency Communications Division and the United States Computer Emergency Readiness Team(US-CERT), which responds to cyber incidents. 

One CISA program that’s drawing praise from industry experts is Continuous Diagnostics and Mitigation (CDM). CDM, which was commissioned by Congress, offers a dynamic approach to fortifying the cybersecurity of government networks and systems. It provides federal departments and agencies with capabilities and tools to conduct automated, ongoing assessments.

CISA is just one agency. Each federal agency is responsible for establishing cybersecurity standards for itself and the entities it works with through the Federal Information Security Management Act of 2002 (FISMA).

This process can be uneven, as GAO reporting has revealed. Then, industry-specific laws that address cybersecurity each have their own agency oversight. The HIPAA law that covers healthcare privacy and cybersecurity is run out of the Department of Health and Human Services (HHS).

The Gramm-Leach-bliley Act, which deals with financial institutions and customer privacy, is managed by the Federal Trade Commission (FTC).

Private corporations receive little or no federal cyber protection. With critical infrastructure companies like power utilities, CISA provides extensive coordination, threat sharing, and guidance. For companies outside of critical infrastructure, businesses are entirely self-reliant for cyber defense.

This makes sense because the government cannot possibly protect every American corporation. However, it’s extremely difficult for regular companies to fend off nation-state actors.

The US Cyber Command

The United States Cyber Command (USCYBERCOM) is one of the Department of Defense’s (DoD’s) eleven unified commands. Its mandate includes strengthening DoD cyberspace capabilities and supporting both defensive and offensive cyber operations.

It was created in 2009, originally as part of the NSA. Their mission statement reads,

USCYBERCOM is not the only entity in the US military working on cyber defense and offense. Each branch of the service has its own CISO and cyber operations.

USCYBERCOM may play a coordinating role in the work of these other groups. USCYBERCOM is quite small, however, when viewed in the context of the overall US military. 

Laws and standards

Several federal regulations cover cybersecurity. These include HIPAA and Gramm-Leach-Bliley. The most prominent of them, however, is FISMA, which was originally part of the Homeland Security Act of 2002.

FISMA “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security” for government agencies. Any company or public sector entity that deals with the federal government must adhere to FISMA. 

Like most federal regulations, FISMA is at once complex, sprawling, and vague. The specific standards used for FISMA are determined by the National Institute of Standards (NIST). NIST has published various standards and frameworks to enable FISMA compliance. There are dozens of NIST standards and specialized specifications for data security, encryption, and so forth.

The essence of FISMA is that it binds all federal agencies to the same standard for cybersecurity. It assigns responsibility for cybersecurity to agency heads and provides accountability through certifications and audits. 

However, as GAO reporting has shown, individual agencies may not be doing all they can to stay secure. Critics point out that the FISMA methodology emphasizes planning over the measurement of actual security.

Most government security experts feel FISMA has helped the federal government get more secure, but worry that it can risk becoming a checklist rather than a driver of serious security improvement. Observers have also noted that these laws do not cover companies that are critical to the Internet, such as Internet Service Providers, software makers, and so forth. 

As progress is made in some areas, other parts of the government are lagging. For example, the Office of Personnel Management (OPM) has still not fully addressed the cybersecurity weaknesses that led to the attack. A 2019 audit found “material weaknesses” in the OPM the agency’s information systems control environment. 

For example, as reported in Federal News Network, the Inspector General reported that “OPM didn’t have a system in place to identify and generate a complete and accurate listing of contractors and their employment status. Additionally, the IG found OPM didn’t appropriately provision and de-provision users’ access to the network based on their work status.”

These are exactly the kind of control breakdowns that enable hackers to penetrate networks.

Threat sharing

The government and private industry have gotten a lot better at sharing threat intelligence in recent years. There are now many Information Sharing and Analysis Centers (ISACs) across the US.

ISACs are in the business of sharing relevant threat information with interested parties. For instance, if a company in the financial industry discovers a piece of malware, it can share its “signature,” or identifying characteristics, with ISACs in the electrical power grid sector and so on. This sharing enables better protection all around. 

Cybersecurity employment in the federal government

The US federal government either does not know or will not disclose just how many of its employees work in cybersecurity.

The number is surely in the tens, if not hundreds of thousands, however. The federal government is likely the world’s largest employer of cybersecurity personnel. 

Each federal agency has its internal security team. Agencies like CISA, the National Security Agency, and the FBI have dedicated cybersecurity personnel. Many of the jobs require security clearances.

Each branch of the military has its substantial cyber operations, spanning intelligence, offensive, and defensive cyber war. With the recent push for increased cybersecurity action and regulation, it’s a good time to be preparing for a career in cybersecurity with the federal government. 

Case Study: Chinese Hackers Breach U.S. Treasury Network

In December 2024, a major cybersecurity breach attributed to Chinese state-sponsored hackers compromised the U.S. Treasury Department’s network.

The attackers exploited vulnerabilities in a third-party cybersecurity provider, BeyondTrust, gaining unauthorized access to sensitive government systems.

While investigations are ongoing, initial reports strongly suggest the involvement of Chinese state-sponsored actors, specifically the “Salt Typhoon” group, known for targeting U.S. critical infrastructure.

Impact

• Data Breach: Over 3,000 unclassified files were accessed by the attackers, potentially containing sensitive information related to government operations and financial data.  
• Compromise of CFIUS Information: Access to CFIUS systems is particularly concerning due to the sensitive nature of information handled by this committee, which reviews foreign investments for national security risks.  
• Erosion of Trust in Third-Party Vendors: The incident has raised serious questions about the security of the government’s supply chain and its reliance on third-party software providers.
• Potential for Further Exploitation: While CISA has stated that there is no indication of wider impact on other federal agencies, the incident highlights the potential for lateral movement and further compromise in interconnected government systems.

Conclusion

The 2024 cybersecurity breach at the U.S. Treasury serves as a stark reminder of the persistent and evolving threats facing government agencies.

The incident highlights the vulnerabilities introduced by reliance on third-party vendors and the critical need for a proactive and multi-layered security approach.

As the government continues to navigate the complex digital landscape, strengthening supply chain security, accelerating the adoption of Zero Trust architectures, and investing in robust detection and response capabilities will be crucial to safeguarding national security and maintaining public trust.

The lessons learned from this incident will undoubtedly shape future cybersecurity strategies and policies within the U.S. federal government.

Frequently asked questions

Sources

• Gramm-Leach-bliley Act | Sourced from Federal Trade Commission in Apr 2025
• Cyberattacks USA 2025 | Sourced from KonBriefing in Apr 2025
• Significant Cyber Incidents | Sourced from CSIS.org in Apr 2025
• Chinese hackers breach US Treasury network | Sourced from The Guardian in Apr 2025