The May 2021 cybersecurity executive order has sparked a flurry of activities across agencies aimed at better securing data, devices and networks.
The Federal Mediation and Conciliation Service is among those agencies responding to the mandates and deadlines laid out in the EO. Doug Jones, the IT director at FMCS, said the executive order and the initiatives it spawned have helped raise the level of security across agencies.
One example is the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. CISA established the catalog through a Binding Operational Directive last November. Agencies are required to patch or address any vulnerabilities CISA posts to the catalog within set time frames.
“It’s something we were already doing. It’s just now more organized across the federal landscape, which is a good thing,” Jones said on the CISO Handbook. “It’s getting everybody on the same playing field . . . It just kind of keeps you on your toes.”
The vulnerabilities catalog is a relatively new tool for CISA and the rest of the federal government to respond to a fast-evolving threat environment. Rick McElroy, a principal cybersecurity strategist at VMWare Carbon Black, said “there’s a lot of noise” in cyberspace, especially since Russia’s invasion of Ukraine earlier this year.
“We’ve seen a massive increase in the number of zero days that have been used in the wild and have been developed, as part of nation states doing what nation states do, and buying and selling of these things,” McElroy said. “But it creates a real problem for organizations, because organizations obviously don’t have all of the funding that they need to really be bleeding edge on security. And so I think they’re struggling to keep up with some of the dynamics they can’t control.”
Agencies are now shifting to zero trust architectures in response to ever evolving nature of cyber threats and the likelihood that attackers will continue to outpace network defenders with new and novel techniques.
“The pie in the sky thought that this will never happen to you, you have to lose that because it’s not a matter of ‘if’ anymore, it’s just a matter of ‘when’ and ‘how,’” Jones said regarding cyber incidents. “You have to be ready to recover.”
The zero trust model shifts cyber defenses away from purely relying on conventional, perimeter-based security. Instead, it’s predicated on “no actor, system, network, or service operating outside or within the security perimeter is trusted,” the White House’s zero trust strategy explains.
“Instead, we must verify anything and everything attempting to establish access,” it states.
But as McElroy points out, agencies are different steps in CISA’s zero trust maturity model and implementing the various “pillars,” such as multifactor authentication or encrypting network traffic.
“I would bet for some of the smaller agencies, they’re going to have to take advantage of the work that some of the larger agencies are doing,” he said. “Maybe some of them will create further service offerings around it.”
The Biden administration’s cybersecurity agenda may be ambitious, but Jones said the intense focus on the issue has helped bring together the cybersecurity community across government.
“If we’ve got this entire community out there sharing all this information, everybody can get there a little bit faster,” Jones said, while adding, “You can’t deny [the potential for a cyber incident] anymore. It’s going to happen. It’s just a matter of when. If you get your ducks in a row, then you can minimize the damage that can be done.”
Please register using the form on this page or call (202) 895-5023.
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.