Federal agencies are cracking down on adversarial interference and unwanted access to their network operations with promises to increase the speed to market of new information technology (IT) capabilities and transitioning to more decentralized cyber security decisions.
At an FCW Cybersecurity Summit on Wednesday, panels of government and industry cyber experts reiterated the importance of securing the IT supply chain and prioritizing risk management by supporting the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program.
“I spend a lot of time talking to folks, internally and externally, about the speed of solutions and the speed of cyber security. People want to have formed contextual risk decisions about whatever outcome they’re trying to achieve. And security as a discipline, especially in the federal space and my agency, speed is everything for us,” said Matt Conner, chief information security officer (CISO) at the National Geospatial-Intelligence Agency (NGA), at a panel on security innovations. “Our programs, our operators, our customers they want solutions and capabilities fielded and operational as quickly as possible, of course. We simply cannot follow the old ways of reaching that contextual risk decision.”Conner, whose agency is responsible for providing geospatial imaging for combat support, said his main priority remains reducing time to market for the vital capabilities needed to protect his critical systems.
The NGA recently set up an office in Silicon Valley as part of its agenda to establish nontraditional public-private partnerships with the aim of speeding up the process of the applying new cyber capabilities for the intelligence community’s operational networks.
From an industry perspective, developing and integrating critical IT solutions has to coincide with a more focused, risk-based approach to securing the cyber supply chain, according to Lauren Burnell, CISO for IT services provider PCM-G.
“Historically, there’s been a fundamental disconnect between industry and government. So government, obviously, is focused on mission success. Industry has looked at IT acquisitions from an industry perspective, where we’re looking at efficiencies, cost savings. The traditional cyber supply chain risk management is really more focused on these kinds of industry concerns. We just started to see the emergence of the NIST coming to the table as a leader in government in cyber supply chain risk management,” said Burnell. NIST is the National Institute of Standards and Technology.
Adversaries view the global IT supply chain as an easy access point to infiltrate network systems with counterfeit solutions, therefore federal agencies need complete confidence on the integrity of their cyber assets before introducing them into their environment, according to Burnell.
Panelists from the federal perspective argued for a continued shift in the IT solution approach to a more enterprise, decentralized structure aimed at securing holistic cyber security for entire agencies not just specific networks.
“We’re organized around being able to make decisions be central, not in a decentralized fashion, and many of our processes are oriented around making decisions about particular systems. So then the challenge becomes being able to find a way to achieve a high level of integration across the entire department,” Defense Department Deputy CIO of Cyber Security Mitchell Komaroff said.
A solution to this culture change is DHS’ CDM program which forces agencies to be aware of their network security by prioritizing risk assessments and re-examining of budgetary priorities to seek out new solutions.
The CDM program standardizes federal security monitoring for participating agencies through three phases of cyber evaluation, moving from cyber asset management, then focusing on infrastructure integrity and finally devising plans for risk management and network boundary protection.
“We have that built-in mechanism that allows us to be able to work with the agencies and not say ‘We found this budget problem, you the agency find some money and go solve the rest of it.’ Instead we said, ‘We’ll work with you on doing this because we want you to have the best understanding of your surface,’” CDM Lead System Engineer James Quinn said. “I think the second thing that’s changed as we were evolving is we sort of went from carrying on the compliance approach to saying we need to step back and really do a cyber security framework approach.”
The two-step process involves taking this support from CDM to initiate a culture change, and then re-working the internal agency decision-making process to work on enterprise IT solutions.
“In general, I think that there are pervasive improvements in technology, for instance, the quality of operating systems within computers, the leveraging of hardware we trust. One of the ways we’ve been seeking to do a little bit of problem decentralization behind the legacy-installed base is through making certain enterprise decisions, so beginning with former DoD CIO [Terry] Halvorsen and now with CIO Dr. John Zangardi, we’ve been pressing forward with secure baseline roll outs of new systems throughout the entire department. That’s being driven from the enterprise level,” said Komaroff.