GSA security chief sees concerted focus on ‘applications and workloads’ in coming year

GSA plans to centralize its application security program amid a broader push to ensure the government only relies on secure software.

The General Services Administration is making a major push into enterprise application security this year, its top security official says, amid a broader government push to ensure agencies only use secure software.

GSA has made headway in implementing a zero trust architecture through the adoption of a secure access service edge (SASE) solution, modernized user and device directories, and new enterprise single sign-on solutions.

Bo Berlas, GSA’s chief information security officer, said fiscal 2024 will feature a big focus on securing “applications and workloads.”

While GSA have been largely implanting software security and supply chain security practices in their own “verticals,” Berlas said the agency is centralizing those capabilities.

“To truly be able to achieve synergy and value and be able to integrate that into a security strategy, it has to effectively be developed and delivered as an enterprise shared service,” Berlas said during an Oct. 10 event hosted by NextGov. “We’re essentially going through and doing a lot of investment within this space in the coming year by centralizing around a dedicated, app-sec solution, backed by tooling and people that effectively provide integrated support services into our agency application teams.”

The federal zero trust strategy directs agencies to operate “dedicated application security testing programs,” instead of just relying on documented security controls.

“To gain confidence in the security of their systems, agencies must analyze their software and its deployed functionality with a comprehensive and rigorous approach, whether their software is built internally or by a contracted vendor,” the strategy states.

Meanwhile, agencies are also increasingly focused on the security of third-party software developed and delivered by contractors. The Cybersecurity and Infrastructure Security Agency earlier this year released a draft attestation form that contractors would sign to confirm their compliance with software security standards.

Once the form is finalized, the Office of Management and Budget has directed agencies to begin collecting the form from their software vendors.

During a separate Oct. 10 event, CISA Executive Assistant Director for Cybersecurity Eric Goldstein cast the software attestation form as part of a broader effort to ensure technology companies are designing and delivering their products with the proper security measures.

Goldstein called the attestation form “a step down a road, and incremental one at that, but still an important measure to ensure that we are adopting the right approaches.” He also pointed to new contractor cybersecurity rules proposed by the Federal Acquisition Regulatory Council last week as an important step forward.

“It’s also an important step to make sure that we are driving the right security across the ecosystem, maybe starting with federal contractors first, but then broadening from there,” Goldstein said.

Berlas pointed to how many recent cybersecurity initiatives stem from notable cyber incidents, such as the SolarWinds breach that ensnared multiple federal agencies.

“One of the fundamental lessons learned there is that we can’t take for granted the software that we’re effectively consuming, presuming that software itself is secure,” Berlas said. “Those very same vendors themselves have downline software dependencies. So it’s ensuring that visibility downline into the actual vendor, ensuring that they’re implementing good software security and application security best practices, and having a broader understanding of what some of their software supply chain risks actually look like.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories