Just over a year after President Joe Biden signed an executive order (EO) aiming to address outdated security models and software supply-chain security, there has been a “renewed focus” on collaborative efforts around securing federal networks, said government officials during a subcommittee hearing this week.
However, federal agencies continue to grapple with overarching challenges in attracting top cyber workforce talent and building up the resources needed to respond to threats, government officials pointed out. At the same time, several lawmakers expressed concerns about agencies meeting the many deadlines set by the EO for implementing various security measures.
“Our nation is at a turning point in cybersecurity, and the executive order helped us make that turn and took important steps toward driving the change we need to see. But we have a tremendous amount of work we still have to do,” said Eric Goldstein, executive assistant director for cybersecurity with the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday. “There’s more work to do on security and IT modernization across the entire civilian federal branch.”
Government officials agreed that the EO represented a call to action and since then has spurred many collaborative efforts. These common goals have centralized around making systems more secure by implementing a zero trust model, with “key accelerants” for this effort coming in the form of CISA’s zero trust maturity model, a roadmap for agencies to reference as they transition towards a zero trust architecture, and the Office of Management and Budget’s (OMB) national zero trust strategy that gave a firm deadline for federal agencies to implement a zero trust strategy along with various other security measures.
Another top priority has been the implementation of endpoint detection and response (EDR) capabilities across federal civilian executive branch networks, which was one of the security gaps that the U.S. government specifically tried to address on the heels of the SolarWinds attack. Goldstein pointed to the expansion of EDR and CISA’s Continuous Diagnostics and Mitigation (CDM) program as a way for the agency to gain “extraordinary centralized visibility into threats and risks in federal agencies.” The cornerstone of the CDM program has been the rollout of a dashboard that displays data about devices, users, privileges and vulnerabilities, which has been leveraged by 65 agencies so far.
While CISA has only provided EDR capabilities to 15 agencies so far, Goldstein said that currently the agency is in the process of deployment across 26 agencies and they “expect to be underway” at 53 agencies within a few months.
“Not even a year and a half into the executive order, we will have EDR deployments in place underway at over half of the federal government, with more to come,” he said. “The work needs to continue.”
Christopher DeRusha, deputy national cyber director for federal cybersecurity at the Office of the National Cyber Director, and federal chief information security officer for the OMB, said that the EO has attempted to tackle both “root-cause issues” that will take longer to solve, like contract clauses, in addition to significant efforts for security measures with more immediate impact, like multi-factor authentication (MFA) and encryption.
“We picked these measures as the highest measures of priority, in terms of [applying metrics to] them, having engagements with not just CIOs and CISOs, but senior agency leaderships, meeting with deputy secretaries, tracking progress and learning about barriers to success,” said DeRusha.
Despite progress, several lawmakers inquired about the abilities of agencies to meet deadlines set by the EO. Rep. Ritchie Torres (D-N.Y.) inquired about the number of agencies that had implemented MFA, citing a commitment by CISA that all civilian agencies would have the security measure in place by March. Goldstein, for his part, didn’t give a specific number of agencies that had implemented MFA, but said “every agency with the capacity to deploy MFA and encryption has done so in almost all cases.”
Agencies also still face resource constraints and are dealing with incident response teams overwhelmed by ransomware, business email compromise and other attacks. Goldstein said that these challenges stem from capacity and awareness issues, which the U.S. government can work through with funding and resources.
“One of the ways we need to achieve that goal of making sure we have the capacity to respond and recover, is in part by meeting the national cyber workforce challenge,” said Goldstein. “The more that we can train individuals at municipal governments, and at small and medium businesses, to have some ability to do initial analysis and triage, and then help organizations understand the steps they should take in the minutes after an attack occurs, that can have real consequences.”
The General Services Administration (GSA), for instance, has started implementing a zero trust strategy. However, David Shive, chief information officer with the GSA, stressed that the adoption of the EO’s tenants stems from investing “tons of time and energy in attracting top-notch talent.”
“Agencies should make sure cybersecurity is baked into every business plan that is developed,” said Shive. “Make sure you’re attracting top-notch talent. Make sure deep and meaningful partnerships are in place to gain the value of the larger defense communication. The last thing is, just get started.”
Moving forward, lawmakers and government officials agreed that the EO has represented a significant prioritization of cybersecurity that represents a market change over past efforts where “government focus has shifted after the headlines fade.”
“Fortunately, over the past year and a half, we have seen a renewed focus in Congress and the Executive Branch on taking the necessary steps to bring our Federal network security to where it must be,” Yvette Clarke (D-NY), chairwoman for the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee.