Executive orders are just paper, unless agencies actually carry them out

The 2021 Biden Administration executive order on cybersecurity, laid out no less than 55 requirements. And those were just for leadership and oversight. It fingered three agencies, including the Office of Management and Budget itself , for implementing the 55. OMB hasn’t done too badly. For a progress report, the Federal Drive with Tom Temin spoke with the Government Accountability Office’s Director of Information Technology and Cybersecurity, Marisol Cruz Cain.

Interview Transcript: 

Tom Temin And just to be clear, there were more than 55 requirements in this thing. This was just the 55 for three specific agencies.

Marisol Cruz Cain Correct. There were 115 overall requirements. But since we’re about three years out from the issuance of the executive order, we chose to check out the 55 that we thought were most foundational agencies that had to do the leadership issue guidance and oversee some of the other federal agencies’ requirements.

        Join us June 25 and 26 at 1 p.m. EST for Federal News Network's Cloud Exchange, presented by Maximus, where we'll explore civilian agency progress in using the cloud to improve digital services and federal missions. | Register today!

Tom Temin So besides OMB, then it was also the Cybersecurity and Infrastructure Security Agency and also the National Institute of Standards and Technology, NIST, CISA and OMB. Correct. And what did you find?

Marisol Cruz Cain We found that overall, they were doing well. Out of the 55 that we identified, they had fully completed 49 of them, which left six that remain to be implemented. One of them, we found is not applicable because it was basically to check out agency’s request to deviate from CISAs cybersecurity incident and vulnerability response playbook. But nobody had requested such a deviance. So, we decided that that would be not applicable. But there was five out there that we found that were not fully implemented. And those are pretty critical we think. The first one is the director of CISA working with OMB, and NIST has not fully issued its definition of critical software for the federal government, and also hasn’t issued the list that’s going to accompany that definition, letting federal government know what types of software fall into that category. And I think that’s pretty critical because, as you know, lots of the recent incidents that have happened, SolarWinds, Log4J have all come from the software supply chain. There’s a glitch in the software. You can get into different networks. So, I think that that needs to come in a timely manner. Another thing that has not been done yet is CISA Cyber Safety Review Board, which was implemented to review major cybersecurity incidents in the government. They were required to make recommendations to better the board’s actual operations after their first review. And they did. They issued those recommendations, but there has been no evidence of them actually implementing them. So, they would like their authority and their board codified into law. That’s one thing. They also had some very specific points on making their reviews a little bit more effective. But when we asked them for evidence that they were actually implementing those recommendations, they couldn’t provide us any. So, we also think that’s really important. The board that’s responsible for reviewing major incidents really hasn’t done what it could do to make it more effective and get that information out to the public. And the last three had to do with OMB working with specific federal agencies to look at their resources and cost analysis for specific things in the order, like event logging and point detection and response capabilities and threat sharing information. So, we’re just suggesting that OMB document those conversations so that they can be more informed as the budgetary years go on and what they’ve suggested and what they’re working with, with these agencies in those areas.

Tom Temin So sounds like NIST pretty much completed its list.

Marisol Cruz Cain They did NIST had a couple of guidances to put out. They put out guidance on securing software. And they also worked with OMB and CISA on some of the specific technical requirements for endpoint detection and also event logging and ZTA.

Tom Temin We’re speaking with Marisol Cruz Cain, director of information technology and cyber security at the GAO. And getting back to that first item, you mentioned the definition of critical software. I just wonder, you know, almost rhetorically, whether that’s even possible to do because when you mentioned, say, Log4J, nobody ever considered that a critical cyber security risk until one day it was. So, is it really possible to know in advance what somebody is going to decide to exploit, given the millions of software, individual components running in a given agency?

Marisol Cruz Cain I think it’s not 100% possible. I think there’s always vulnerabilities and ways that bad actors get into your systems through software or your different platforms, or different connections with different entities. But I do think it’s important for CISA to complete that definition, because a lot of agencies have varying maturity in their cybersecurity programs. So for some of them that are less mature, they may not be aware of software’s that have vulnerabilities or that need to be patched regularly, and that would give them a better insight as to how to pick their software, how to pick the vendors that they’re using to procure software from. Some of the larger agencies do know these things and are very akin to choosing correct software and making sure that they’re patched and making sure that, you know, when there’s vulnerabilities that they’re replacing the software updating to its newer version. But I think, you know, 100% isn’t guaranteed. But having that out there can help a lot of people with less mature cyber programs.

Tom Temin And if nothing else, I suppose it gives people a point of departure or a point of thinking about things. And they can maybe read their SBOMs with a little bit more insight if they have a list.

Marisol Cruz Cain Exactly.

        Read more: Cybersecurity

Tom Temin All right. And with respect to, CISA and, you know, getting this review board, it sounds like a national transportation safety board. They want to build only for cybersecurity. And that sounds like a long running, ambitious type of thing. And was there evidence or did you look at whether agencies have the resources to do some of these things on a sustained basis?

Marisol Cruz Cain We did not. But I mean, the systemic challenge in the federal government is budgetary issues. Every report that you’ll see GAO do on cyber, people will talk about a lack of skilled workforce, but also budgetary issues to our knowledge, CISA isn’t having any budgetary issues with the Cyber Safety Review Board, but it is very still immature. They just set it up, and it would very much help them if they would continuously look for ways to improve the review board with every review that it does, so that you know, when it gets to its optimal maturity. They know that they’ve done everything possible to make sure that their operations are effective and efficient as they could be.

Tom Temin And this is a report where you did have recommendations and tell us what the highlights of those were.

Marisol Cruz Cain Well, that was one of them. We suggested that CISA actually implement its own recommendations to help its cyber board. We directed CISA in conjunction with NIST and OMB, to issue that list of critical software and its definition. And then the last three recommendations had to do with OMB just giving us some kind of assurance that they’re actually conducting these resource conversations with the federal agencies in the areas of threat information sharing, EDR and its log retention.

Tom Temin Sure. And getting back to the original executive order, it was thousands of words, as I recall, and really comprehensive. Lots of deadlines and so forth. Will one of the endeavors of study, do you think, to be asking? Well, after all of this is said and done, is the cybersecurity in the government actually better than it was in 2021?

Marisol Cruz Cain I would say yes. We actually did a study with six federal CISOs during our report, and we asked them, you know, has the EO covered all of the challenges that you experience in doing your cyber operations day to day? And they believe that it did. Some of the areas that we found, the EO didn’t cover, we found that other strategies did cover. So actually, having a strategy, the National cyber-Strategy that came out in March 23rd, covered that. The EO didn’t really talk a lot about cyber workforce management, but the recently issued cyber workforce management strategy in July 2023, we feel like that will cover that area comprehensively. The National Cyber Strategy dealt with a lot of critical infrastructure issues that the EO did not. And then lastly, privacy, NIST and OMB have been doing a really good job having some privacy guidance out there. So, the four challenges that we talked with the CISOs about that they felt like the EO did not do enough, we identified those areas as being covered by other things. So, I think collectively, all of these documents have left the government cyber posture in a better place.

Tom Temin And I imagine they mostly agreed with the recommendations.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Marisol Cruz Cain Yes. Everybody agreed with all of our RECs. Well, OMB had no comment, but I take a no comment as they didn’t have anything negative to say. But CISA did agree with two of our recommendations we gave them.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.