In the two years since the Biden-Harris administration released its landmark cybersecurity executive order (EO), Federal agencies including the National Institute of Standards and Technology (NIST) have been notching rapid progress on the order’s imperatives, a NIST tech official said today at Palo Alto Networks’ Public Sector Ignite 2023 conference in Tysons, Va.
Victoria Yan Pillitteri, a supervisory computer scientist at NIST, talked about how executing on the ambitious EO has taken a whole-of-government effort.
The EO on Improving the Nation’s Cybersecurity – issued on May 12, 2021 – charges NIST with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. Specifically, section four of the order directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security.
On May 15, NIST began seeking input from organizations that want to participate in a project that will ultimately provide guidance on ways to securely develop software. The Software Supply Chain and DevOps Security Practices project’s objective is to produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies, a Federal Register notice says.
NIST said the project will also strive to demonstrate the use of current and emerging secure development frameworks, practices, and tools to address cybersecurity challenges.
“It’s about enabling security,” Pillitteri said at today’s conference. “Security should be easy for the user, it should be transparent.”
“We have such robust guidance that goes into such depth, but ultimately, we need to enable the mission and business about our Federal agencies,” she said. “I think that’s something that we are trying to do across the board through the various updates to our standards and guidelines, through our various research efforts”
Pillitteri added, “There’s a lot of work going on at the foundational research level to enable these good practices and an opportunity for us to learn from our colleagues who are in the operational world of what’s working well, what are the opportunities for improvement, and how can we really make this better and easier for all stakeholders.”
The cybersecurity EO hasn’t been exactly an easy shift for the workforce, and two years later, Palo Alto Senior Vice President of the U.S. Public Sector Eric Trexler said one of the biggest cultural challenges he still sees agencies facing is with the adoption of automation.
“We’re all focused on the mission – understanding outcomes,” Trexler said. “Security needs to be seamless; it needs to be easy; the more transparent we make it, the better, but it has to be there. And one of the things we see on the on the public sector side is we just don’t have enough resources.”
He continued, adding, “Driving for automation is probably the most important conversation we can have together. We do see challenges in the fact that people are concerned their contracts are going to get voided. They don’t understand how to trust in automation – there aren’t enough people, we have to automate.”
“Let the machines make as much of the decisions as they can, only elevate the higher-level activities to humans. We still struggle with that dialogue,” Trexler said. “AI is going to help us. We need the public sector to get behind that.”