Agencies must meet new requirements to gain visibility into the assets — and cybersecurity risks — on their networks. Given the use of cloud-based services,...
Federal agencies are facing mounting requirements to account for the assets that sit on their networks and the risks to their data and applications.
The May 2021 cybersecurity executive order, 2022’s Federal Zero Trust Strategy and subsequent security directives all point agencies toward better understanding specific vulnerabilities before they’re exploited.
“It starts with visibility and control,” Joe Sangiuliano, regional vice president for public sector and Prisma Cloud at Palo Alto Networks, said on Federal News Network’s Cloud Exchange 2023. “Our federal organizations, they need comprehensive visibility and control, not just over infrastructure but applications and data.”
Last October, the Cybersecurity and Infrastructure Security Agency laid out requirements for agencies in a binding operational directive on “Improving Asset Visibility and Vulnerability Detection on Federal Networks.” The directive establishes baseline requirements for all federal civilian executive branch agencies “to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.”
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” CISA Director Jen Easterly said in a statement about the release of the directive. “Knowing what’s on your network is the first step for any organization to reduce risk.”
Agencies are also already subject to strict regulatory and compliance regimes like the Federal Risk and Authorization Management Program for assessing and authorizing cloud services.
“Meeting these requirements is difficult and can be complex,” Sangiuliano said.
And while the shift to the cloud comes with security benefits, as the Federal Zero Trust Strategy points out, there are also new risks with cloud-based applications, he said.
“You have to start taking a look at how you’re building applications, because we’re depending on so many different open source registries touching many different attack vectors that we didn’t have before when dealing with an on-prem solution or on-prem development,” Sangiuliano said. “So, what we’re working with customers on is protecting not just with visibility and compliance but really starting to look proactively into how to secure during the code phase, during the build phase of what we’re doing.”
Secure software development is another major emphasis for agencies in 2023. The Office of Management and Budget has established new requirements for agencies to ensure the third-party software they use was securely developed in line with a National Institute of Standards and Technology framework.
Later this year, agencies are expected to begin asking vendors to vouch for their secure development practices by signing a secure software development attestation form. And even for their internally developed software, agencies are expected to “appropriately leverage” the NIST Secure Software Development Framework, OMB directed.
As agencies continue to adopt software and applications, security will continue to be of paramount concern. But as Sangiuliano points out, there’s often a big gap between where agencies want to go with where their IT modernization approaches and where they currently sit with legacy technology and technical debt.
“It’s on industry to help really provide the best consultative approach based on where customers are in that transformational journey, in that DevSecOps journey,” Sangiuliano said. “And it could be on-prem, and it could be within the cloud. And today we see such a huge dichotomy with where those customers are. We spend a lot of time just making sure we understand what workloads are in the cloud, what challenges are you having in visibility, in compliance, in alerts in attack vectors, whatever it might be. Misconfigurations happen. What do they really have the need to continuously develop and continuously integrate? That’s we spend time first — a lot of time — in discovery.”
To read or watch other sessions on demand, go to our 2023 Cloud Exchange event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Regional Vice President-Public Sector, Prisma Cloud, Palo Alto Networks
Reporter, Federal News Network
Regional Vice President-Public Sector, Prisma Cloud, Palo Alto Networks
Reporter, Federal News Network
Justin Doubleday is a defense and cybersecurity reporter for Federal News Network. He previously covered the Pentagon for Inside Defense, where he reported on emerging technologies, cyber and supply chain security. Justin is a 2013 graduate of the University of New Hampshire, where he received his B.A. in English/Journalism.