From ensuring the nation’s voting infrastructure was secure in preparation for election season to developing strategies and goals to support critical infrastructure owners and operators, boosting the nation’s cyber posture was among many Federal agencies’ top priorities for 2022.
As the year comes to an end, MeriTalk is rounding up our top cyber moments of 2022:
CISA Rolls Out Voluntary Cyber Goals for Critical Infrastructure
On Oct. 27, the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its long-anticipated cybersecurity performance goals (CPG) to help critical infrastructure owners and operators prioritize and set a foundation for key security measures.
The CPGs – applicable across the 16 critical infrastructure sectors already designated by the Department of Homeland Security (DHS) – feature a list of information technology and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques.
Moving forward, CISA plans to develop sector-specific goals and will work with each Sector Risk Management Agency to develop those objectives.
Election Security Ahead of the 2022 Mid-Term Election
On Nov. 7, CISA said that it was seeing relatively smooth sailing for voting infrastructure and processes across the United States with polls open in all 50 states for the 2022 midterm elections.
Ahead of the 2022 Mid-Term Election, CISA gave the nation’s voting infrastructure a clean bill of health, even as the outcome of numerous close election contests remained unknown late into the day after the elections.
During the summer of 2022 CISA had notified election officials of software vulnerabilities found in Dominion Voting Systems equipment deployed in several states, but CISA officials confirmed that it has found no evidence that those vulnerabilities have ever been exploited. In addition, CISA officials confirmed there was no evidence that the vulnerabilities have affected any election results, including the 2020 presidential election.
OMB Drops New Cybersecurity Metrics in Time for FITARA Hearing
On Dec. 14, the Office of Management and Budget (OMB) released a new “progress report” on the state of cybersecurity across Federal agencies, just in time for the 15th edition of the FITARA Scorecard issued by the House Oversight and Reform Committee on Dec. 15.
The progress report provides the public and key stakeholders, including Congress, with new cyber metrics derived from Federal Information Security Modernization Act (FISMA) data. Notably, the cyber progress report may help to inform a future category for the FITARA Scorecard and represent an evolution of sorts from the current FISMA-centric cyber category.
DoD’s Ambitious Zero Trust Goal
On Aug. 31, DoD CIO John Sherman announced the department’s plan to implement a zero trust architecture across the entire department by 2027. And on Nov. 22, the Pentagon released an implementation strategy and roadmap with further details of how it would reach its 2027 zero trust goal.
DoD’s zero trust strategy and roadmap envision an information enterprise secured by a fully implemented department-wide zero trust cybersecurity “target level” framework that will reduce the attack surface, enable risk management, make data-sharing effective in partnership environments, and quickly contain and remediate adversary activities.
The roadmap – released along with the strategy – lays out a baseline approach to zero trust using the department’s current IT infrastructure and capabilities.
CISA Sets Strategic Plan for 2023-2025, Eyes Unity of Efforts
On Sept. 14, CISA issued its strategic plan for 2023 to 2025, setting out four main goals of cyber defense, risk reduction and resilience, operational collaboration, and agency unification. The 37-page document is CISA’s first, comprehensive strategic plan since the agency was established in 2018.
The first goal in the plan is centered on CISA’s role as America’s cyber defense agency, particularly focused on the defense and resilience of cyberspace. The second goal of risk reduction and resilience is similar but places a narrower focus on U.S. critical infrastructure.
The third goal in the plan aims to strengthen “whole-of-nation operational collaboration and information sharing” between the government and the private sector. The fourth goal aims to unify the agency internally by breaking down organizational silos, growing the value of the agency’s services, and increasing stakeholder satisfaction.
Senate and House Pass FY2023 NDAA
The Senate and House passed the Fiscal Year (FY) 2023 National Defense Authorization Act (NDAA), which features $858 billion for defense-related purposes, including numerous technology and cybersecurity provisions.
Among the cyber funding provisions is a $44.1 million investment to support the U.S. Cyber Command’s (CYBERCOM) Hunt Forward Operations, as well as an increase of $56.4 million for CYBERCOM Joint Cyber Warfighting Architecture development.
Provisions specific to strengthening the DoD’s cyber posture include:
- An increase of $10 million to support cyber consortium seed funding;
- An increase of $20 million for the National Security Agency Center of Academic Excellence cybersecurity workforce pilot program;
- An increase of $20 million for the Defense Advanced Research Projects Agency’s (DARPA) enhanced non-kinetic/cyber modeling and simulation activities;
- An increase of $168 million for Cyber Mission Force operational support, including intelligence support to cyberspace operations; and
- An increase of $50 million for artificial intelligence systems and applications development at CYBERCOM.
Sources told MeriTalk that President Biden is expected to sign the NDAA bill soon.
Federal Government Responds to Log4J Vulnerability
From the beginning of 2022, the pressure was on to respond to the 2021 widespread Log4j vulnerability and put measures in place to prevent further fallout from the vulnerability.
Just a month after CISA’s first public warnings about the Log4j vulnerability, the cybersecurity agency worked with Federal agencies and the public to mitigate potential exposure and renew calls for a software bill of materials (SBOM) to aid in system visibility and inventory management.
Those calls were reiterated at a Feb. 8 Senate Homeland Security and Governmental Affairs hearing, where witnesses explained how SBOMs would aid in quicker remediation of future vulnerabilities.
OMB Sets 2023 Deadline to Boost Agencies’ CDM Reporting
On Dec. 2, Federal agencies were informed that they have until September 30, 2023, to report at least 80 percent of their IT systems through CISA’s Continuous Diagnostics and Mitigation (CDM) program, according to OMB FISMA guidance.
The memo – which builds on OMB’s 2021 FISMA memorandum – pushes for agency action on several items highlighted in President Biden’s cybersecurity executive order issued in May 2021, with a focus on modernizing FISMA data collection.
China Poses Biggest Long-Term Cyber Threat to U.S.
On Nov. 17, officials from the FBI and DHS warned members of Congress that China poses the “greatest long-term threat,” especially when it comes to cyber threats.
During a Senate Homeland Security and Governmental Affairs Committee hearing, officials explained that China is “growing more aggressive, more brazen, [and] more capable.” On the cyber front, China’s vast hacking program is the world’s largest by a mile, and they have stolen more of Americans’ personal and business data than every other nation combined, officials explained.
GAO: HHS Still Facing Open High-Priority Cyber Fix Recommendations
On June 2, the Government Accountability Office (GAO) informed the Department of Health and Human Services (HHS) that it still needs to address a pair of open cybersecurity priority recommendations related to cybersecurity coordination and implementation of a cybersecurity framework.
GAO reported those open recommendations as part of a larger set of 56 open priority recommendations. Of those, 51 remain open from a May 2021 GAO report, plus five new priority recommendations that GAO added in its latest report. In the new report, GAO said HHS did complete action on a pair of recommendations that address and improve the agency’s cyber risk management.