Date: On demand
Duration: 1 hour
Federal agencies are modernizing their IT environments, upgrading their cyber defenses and beginning to shift toward zero trust security architectures. The oversight offices who audit agency programs are also attempting to keep pace with changing technology and approaches.
Gerald Caron, chief information officer at the Department of Health and Human Services Office of the Inspector General, says the oversight community has started to have discussions about how it reports on agency compliance with cybersecurity policies.
“As technology changes, does the way we provide oversight potentially change as well? Just keeping up with new technologies, new things,” Caron said.
Recently, a new cybersecurity community has organized itself under the Council of Inspectors General on Integrity and Efficiency, according to Caron. He said the group started this year and is just starting to host trainings and other focused meetings.
“We’re starting to have those types of discussions like prioritization of audits, prioritization of findings, and things like that,” Caron said. “I believe that that’s something that we’ll probably be picking up on and talking a bit about, how can oversight help with that.”
The group’s first training was focused on zero trust, and how the government-wide shift to the security architecture could affect how agencies are measured against established standards that form the basis of federal policy and oversight, like the National Institute of Standards and Technology’s 800-53 publication.
Caron says there’s no “one-size-fits all” approach to zero trust.
“It doesn’t translate necessarily one-for-one to the 800-53 controls,” he said. “What is that going to mean for how you assess a zero trust environment?”
Caron also says “compliance” is not synonymous with “effectiveness,” and that’s why agencies are trying newer approaches to cybersecurity that emphasize the importance of visibility and awareness of network assets and activity, such as Software Bills of Material and continuous monitoring.
“Compliance is not enough,” Caron said. “I think we have to be sure that we check and make sure that we’re effective at what we’re putting in place. And having that inventory is part of that and understanding.”
As agencies consider how they architect their own security environments, they are also probing deeper into the security of their IT supply chains, especially after the SolarWinds attack.
For instance, the Defense Department is establishing a Cybersecurity Maturity Model Certification program to audit the security of its defense contractors, while the White House Office of Management and Budget is considering how to establish security standards for federal software procurement.
Kelly White, co-founder and chief executive officer of RiskRecon, says cybersecurity assessments can often identify hundreds of potential issues across an organization’s network. “But issues are not risk,” he added.
“I don’t think organizations set out to have poor cybersecurity hygiene,” White said. “It’s not something that they do intentionally. But it is a state where too many companies find themselves because they’re not intentional and explicit about managing that dimension of risk.”
White says prioritization is key for both agencies looking across vast supply chains, as well as the organizations in those supply chains who need to address issues within their respective environments.
“You can get down to from a portfolio of 100,000 quite quickly down to 1000 suppliers, and engage with them meaningfully,” he said. “And that is the application of risk, the understanding of the relationship level, down to applying analytics that are readily available, and you can apply to understand who’s doing well based on cyber ratings, and who’s doing poorly. And then that focuses the most valuable resource that you have, which is your risk management professionals. And then they engage and can make decisions for the organization. They can engage with the supplier to call out the issues, engage with them to raise their performance.”
This program is sponsored by
Please register using the form on this page or call (202) 895-5023.
Chief Information Officer, Office of the Inspector General, Department of Health and Human Services
Co-Founder and CEO, RiskRecon, a Mastercard Company
Reporter, Federal News Network
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.