The Biden administration is giving agencies marching orders to make its cyber policy goals a reality — with a focus in part on cyber supply chain risk management.
The White House is calling on the federal government to make C-SCRM a top cyber priority, but agencies may not have a clear path to make these goals a reality, said Deontray Jones, director of pre-sales engineering for the civilian and FSI region at Palo Alto Networks.
That said, he added that securing the software supply chain is essential for agencies to mitigate risk in today’s digital landscape.
“Failing to secure the software supply chain can open us up to a host of vulnerabilities that bad actors can exploit. That can lead to all sorts of issues around application performance and access, data loss — and most importantly, severe damage to an organization’s operations and also their reputation,” Jones said, during Federal News Network’s Cyber Leaders Exchange 2023. “As we all are aware, one issue in code development can lead to hundreds and thousands of issues in runtime at that point.”
To achieve a balance between agility and security in their development and operations processes, Jones suggested that agencies “shift left” and move testing and performance evaluation earlier in the development process — before any code is written.
“When we shift left, we’re able to do things like automate security checks, security assessments, and bring better monitoring and visibility to a cloud environment to allow us to catch vulnerabilities very easily and earlier in the code development cycle,” he said. “By shifting left, we’re actually adding security as part of the DevOps process, and not bolted on at the end of the development cycle.”
Setting the stage for C-SCRM in government
The Biden administration highlighted C-SCRM as a foundational element of federal cybersecurity when it released its Implementation Plan for the National Cybersecurity Strategy in July.
The plan outlines 65 high-impact initiatives agencies must meet to stay ahead of emerging threats and sets a timeline to complete those goals.
The plan puts 18 agencies in charge of leading at least one initiative, although many of its goals will require interagency coordination.
Acting National Cyber Director Kemba Walden said in July that the implementation plan is a living document that will be updated annually to reflect the government’s evolving response to emerging threats.
Beyond the Biden administration’s cyber policies, Palo Alto’s Jones said agencies need to ensure they’re implementing cyber hygiene best practices across their enterprises in a consistent manner.
“Securing compliancy is what we live for and what we live by. And in order to secure and have compliance, that’s going to require consistent policy, consistent monitoring and consistent visibility across multiple clouds,” Jones said. “As we all know, we live in a multicloud world. In order to do that, we need a common tool set that allows us to have that consistency — whether we’re in a public cloud or a private cloud — at all times.”
Consolidating and integrating across IT for better SCRM
To ensure agencies are implementing best practices in cybersecurity, Jones said consolidated tool sets will make it easier for security analysts and security professionals to secure federal networks.
“There are multiple great security manufacturers out there, but we have to consolidate our tools, so that we can make it easier and really mitigate the attack landscape at that point,” he said. “It goes back to the shifting left conversation: How do I protect my code cloud at the beginning? How do I protect my cloud infrastructure? … That’s going to come back to making sure that we have a common tool set that allows us to have that consistent security policy across our cloud environment.”
Agencies are developing code across the cloud landscape — and across top cloud providers, including Amazon Web Services, Google Cloud and Microsoft Azure — but Jones said agencies are securing their DevOps process differently in all three cloud environments.
“The better protection to provide that consistent security model against three different clouds is to have a common tool set that will be able to span a multicloud environment,” he said.
Although agencies continue to face new cyber challenges in a growing threat landscape, Jones said consistent implementation of best practices remains the foundation for an ongoing effective cybersecurity strategy.
“If you take away anything from this conversation, [it’s] consistent policies, consistent monitoring, checks and consistent visibility across any cloud landscape, whether public or private,” he said, adding, “Continue to think about security as a part of the DevOps process and not as a bolted-on solution.”