To nobody’s surprise, 2022 was another action-packed year for federal chief information security officers and cybersecurity teams across government.
It started with the clean-up from the Log4j software vulnerability, and has continued with a flurry of new guidance and initiatives.
The zero-day vulnerability in the open source Java library, called “Log4Shell,” actually surfaced in late November 2021 and kept security teams busy through the holidays. The criticality of the vulnerability is due to its widespread use in networked systems, its ease of exploitation, and the critical access it gives to successful attackers.
The Cybersecurity and Infrastructure Security Agency led efforts to remediate the vulnerability across agency networks.
“We have seen extraordinary attention on this vulnerability across federal agencies,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in early January. “I think, frankly, the most dedicated focus that we have ever seen for an effort like this.”
At the same time, CISA officials said remediation efforts were far from over.
The Cyber Safety Review Board, in its first ever report, also warned that unpatched instances of Log4j will continue to crop up for years to come, potentially up to a decade.
Those warnings came to fruition in November, when CISA released an alert revealing that between mid-June and mid-July, it found evidence of Iranian-backed hackers using Log4shell to compromise the network of an unnamed civilian agency. The Washington Post later reported the agency in question was the Merit Systems Protection Board.
But the Log4j incident underscored a push already in motion to strengthen the security of software used across agencies. The movement was initiated by the May 2021 cybersecurity executive order, and resulted in new secure software development practices issued by the National Institute of Standards and Technology in the spring.
The directive, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” applies to agencies’ use of third-party software, in turn affecting the vast array of contractors and software producers in the federal procurement ecosystem.
Under forthcoming acquisition rules, agencies will require software vendors to self-certify that they’re following NIST’s secure development practices. The OMB guidance also leaves the door open for agencies to mandate third-party security assessments as well.
It also encouraged agencies to use Software Bills of Material or SBOMs, but it did not require the use of the so-called “software ingredients lists.” The Cyber Safety Review Board in its Log4j report touted the potential use of SBOMs to increase software transparency, while acknowledging further developments in SBOM tooling and adoption are still needed.
The tech industry, meanwhile, successfully lobbied lawmakers to drop new SBOM requirements in the final version of the fiscal 2023 defense authorization bill. Industry associations argued SBOMs have limited utility today because of a lack of standardization.
The White House also set agencies on an ambitious cybersecurity path into the future when it released the federal zero trust strategy in January. The strategy covers a range of pillars, but features a “significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication.”
It ultimately sets a goal for agencies to achieve zero trust principles by the end of fiscal year 2024. Each agency was required to submit an implementation plan to the White House, as well.
In a recent interview, Chris DeRusha, the federal chief information security officer, said the zero trust strategy has led to what he called “strategy-based budgeting” in the federal cybersecurity realm.
“We were able to integrate that into the budget process by having implementation plans from each agency, and then also running our data calls in through the budget process for fiscal year 24, where we did our cyber budget data calls aligned to the zero trust capability area, so that we can map the tooling to the capabilities to the pillars and the strategy,” DeRusha said. “And so we really, you can swing up and down with our data that we’ve got now, and understand a real zero trust funding number.”
The Defense Department also released its own zero trust strategy in late November. It lays out a roadmap for how DoD components should direct their cybersecurity investments and efforts in the coming years to reach a “target” level of zero trust maturity over the next five years.
DoD’s approach includes 45 separate “capabilities” organized around seven “pillars”: users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
The Pentagon is also working with commercial cloud providers on how to integrate the zero trust standards into their offerings, a notable development as both defense and civilian agencies increasingly adopt cloud services as the foundation of their IT programs.