Cybersecurity leaders say agencies have made great strides in adopting a better defensive posture since last year’s cyber executive order in areas like endpoint detection and response, encryption and multifactor authentication.
But during a House Homeland Security Cybersecurity, Infrastructure Protection and Innovation subcommittee hearing today, lawmakers pressed Biden administration officials on whether agencies have done enough to implement new policies and better secure critical civilian networks from cyber attacks.
Federal Chief Information Security Officer Chris DeRusha said “we feel we’ve made tremendous progress over the first year” since President Joe Biden signed the May 2021 cybersecurity executive order. He cited advances in adopting multifactor authentication and encryption at-rest and in-transit.
“We picked a few of these measures that have most impact and put the highest amount of priority around them,” DeRusha said.
But Rep. Ritchie Torres (D-N.Y.) noted agencies have made limited progress in adopting multifactor authentication, despite the executive order’s mandate to do so by November. He cited a January letter from CISA Director Jen Easterly stating only 13 agencies, including just one Chief Financial Officers Act agency, had fully adopted it across their enterprises.
He noted the same letter committed that all agencies “who could do so” would adopt multifactor authentication by mid-March. Torres pressed CISA Executive Assistant Secretary Director Eric Goldstein on the progress under that goal.
“Every agency with the capacity to deploy MFA and encryption has done so in almost all cases,” Goldstein said. He said he did not have a specific number to provide at the hearing.
Homeland Security Cybersecurity Subcommittee Chairwoman Yvette Clarke (D-N.Y.) cited Russia’s ongoing invasion of Ukraine, noting “interest from foreign adversaries in accessing our federal agency networks is likely to be as high as ever.”
DeRusha said the Office of Management and Budget has been convening federal chief information officers and chief information security officers since November to be prepared for attacks stemming from the conflict.
“It’s something we take seriously,” he said. “We remain in an elevated state.”
Many lawmakers were interested in whether CISA has been able to position itself as a more central player in the cyber defenses of civilian agencies. An October memo from OMB directed agencies to provide CISA access to their endpoint detection and response deployed tools, or work with CISA to identify future options for adopting EDR.
Rep. Jim Langevin (D-R.I.) said 15 agencies had adopted CISA’s endpoint detection and response capabilities, pressing Goldstein on why more hadn’t yet adopted them. The CISA official said the agency is “in the process” of deploying EDR tools across 26 agencies and expects to be “underway” at 53 agencies by the end of fiscal year 2022.
“Not even a year and a half after execution of the executive order, we will have EDR deployments in place or underway at over half of the federal government, with more rolling out in the months to come,” Goldstein said. “We have seen great uptake across federal civilian agencies, but the work needs to continue.”
Goldstein also said CISA was in the process of modernizing its EINSTEIN system for detecting and blocking cyber intrusions across federal networks. The legacy system has been maligned by some lawmakers for failing to detect anomalous activity, such as in the SolarWinds attack that affected multiple agencies.
“We are actively moving to agencies more modern shared services and that progression is going to occur throughout future fiscal years,” Goldstein said.
CISA CDM program and zero trust
The executive order also required agencies to update their agreements with CISA to share object-level data with the cyber agency’s Continuous Diagnostics and Mitigation dashboards as part of an effort to centralize visibility into activity on agency networks.
Goldstein reported that every agency had updated their agreements with CISA to meet the goal.
“We are now able to access that necessary data, which is so critical to us to understand the prevalence of vulnerabilities and other risk conditions across federal agencies and drive much more targeted and faster mitigation of risk that may emerge,” he said.
CISA expects “the breadth of federal agencies” will be connected to CDM dashboards by the end of FY 22. CISA is integrating new capabilities for managing mobile devices into CDM dashboards.
Last November, CISA directed agencies to follow a new patch management process under Binding Operational Directive 22-01. It created a catalog of vulnerabilities that is continuously updated with critical cybersecurity flaws. New flaws added to the list are required to be patched within two weeks, while agencies had six months to patch vulnerabilities that were more than a year old.
“Across the civilian executive branch, we are tracking mitigation of hundreds of thousands of vulnerable instances,” Goldstein said. “These are individual pieces of software or products with vulnerabilities that we know are being exploited in the wild… There’s actually a small number of vulnerabilities that account for the preponderance of unmitigated vulnerabilities, what we call residual risk, across the federal civilian executive branch, therefore allowing agencies to prioritize their resources to most effect.”
Agencies are also moving to develop a longer term “zero trust security architecture” across their networks as they adopt more near-term goals under the executive order.