A senior official with the Cybersecurity and Infrastructure Security Agency (CISA) said today the Federal government’s process of modernizing its IT systems to achieve better cybersecurity may be a decades-long process.
Speaking at a virtual June 2 event organized by ATARC, Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, provided a run-down of the major initiatives being undertaken by the agency in response to President Biden’s cybersecurity executive order (EO) issued last month.
Crucial to raising the bar for Federal agency cybersecurity is the process of modernizing IT systems, and the Biden administration has been taking steps to promote that effort by championing the $1 billion cash infusion into the Technology Modernization Fund (TMF) earlier this year, and asking for another $500 million for the fund in the administration’s FY2022 budget proposal.
Several steps – including improving CISA’s ability to threat hunt across Federal networks – are key to improving Federal agency cybersecurity, Hartman said, but none are more so than a large-scale IT modernization effort.
“Our country also needs sustained investment in IT modernization and cybersecurity over many years,” Hartman said. “This is going to be a multi-year, possibly multi-decade process across the 102 agencies in the Federal civilian executive branch to ensure that we have the level of security that American people expect and deserve,” he said.
“There’s no silver bullet or single technology that will secure our systems,” he said, adding, “our approach will require multiple layers of protection, defense, integrated technology and continued investment from Congress.”
“We are ready for the challenge ahead, and we deeply appreciate Congress’ commitment to find the best path forward for sufficient funding to achieve our shared end goal,” Hartman said. “This shared end goal is to ensure that our critical infrastructure – which keeps our global community working through thick and thin – is a hard target for those who would seek to disrupt it – and when it is disrupted that we are able to limit the impact to the functions that we rely upon every day.”
Migration to Secure Cloud, Zero Trust
Elsewhere in his remarks, Hartman touched on the cybersecurity EO’s other major themes for Federal agencies – moving infrastructure to the cloud, and moving toward zero trust security architectures.
“We also need to continue to raise the bar, and make it more difficult and costly for malicious cyber actors to gain access to our networks in the first place,” he said.
“This portion of the order includes moving the Federal government to secure cloud services – some of which we will offer from CISA in close coordination with GSA [General Services Administration] and other partners, as well as taking our collective first steps on the Federal zero trust journey,” Hartman said.
Regarding the zero trust mandate, the CISA official pointed to the agency’s release in recent months of Trusted Internet Connections (TIC) 3.0 guidance and use cases to help Federal civilian agencies in their transition to more modern architectures and services.
“These modernization efforts will not be easy, they will not always be smooth, and they will not be cheap, but the cost of not doing so is simply too high,” Hartman said.
CISA Cyber Program Evolution
Along with changes mandated in the cyber EO, Hartman also explained that CISA “is working to modernize our own flagship cyber programs,” and indicated those efforts incorporate evolving views of the agency’s EINSTEIN perimeter defense system, and its Continuous Diagnostics and Mitigation (CDM) program.
That process, he said, “will accelerate in the coming months in response to new authorities provided in this past year’s NDAA [National Defense Authorization Act], as well as to the execution of our American Rescue Plan Act funding” which delivered an extra $650 million to the agency for use in cybersecurity improvement efforts.
“One example of this,” he said is, “as our network perimeter-based intrusion detection system loses efficacy due largely to a greater reliance on encryption, we plan to counter this by moving our focus from the network perimeter to the endpoint or the host by deploying endpoint detection and response capabilities.”
At the same time, he said CISA “will work with agencies to provide additional detection and response capabilities through our … CDM program.” Improving endpoint detection and response capabilities, Hartman explained, will help CISA improve its ability to conduct threat hunting activities across agency networks.
“Our overarching goal at CISA is to ensure that every agency maintains an adequate level of cybersecurity commensurate with its own risks, and with that of the broader Federal enterprise,” Hartman explained.
“It’s this enterprise mentality that is largely driving a need for greater centralized visibility to improve our collective ability to detect cybersecurity incidents on Federal networks,” he said. “This one is simple. The earlier we detect irregular activity on Federal networks, the earlier we can assess the activity, investigate the cause, and share information broadly to minimize the impact both Federally and non-Federally.”
QSMO Catchup
Finally, Hartman offered an update on CISA’s creation of its Cybersecurity Quality Services Management Office (QSMO) following a White House directive last year to set up a civilian government hub for cybersecurity services in order to streamline offerings of cross-agency services and make them more efficient across the Federal civilian enterprise.
Hartman said CISA was charged with “the mission to centralize, standardize and market high- quality, cost-effective cybersecurity services for all Federal civilian departments and agencies in less than 18 months,” and said the agency’s “initial version” of the QSMO “now offers a broad range of cybersecurity services that will help Federal customers acquire high quality services to identify protect against detect, respond to, and recover from cybersecurity threats to their networks.”
“The launch is a significant achievement,” he said, marking “the first step in building and cultivating a dynamic online government marketplace for best-in-class cyber security services.”
“It’s also an example of how CISA is moving the needle and helping protect and enhance the resilience of the nation’s cyber infrastructure through innovative ways,” he added.