CISA’s new plan to better align cybersecurity operations

The Cybersecurity and Infrastructure Security Agency is introducing a new strategic approach for 2024 called the Federal Enterprise Operations Cyber Alignment Plan. Its focus is bringing agencies together to compare notes on recent cyber incidents and approaches, and align behind a common path forward, especially for  analysts in their security operations centers.

“It’s important for CISA as we look into fiscal 2024 and really have that strategic outlook of what the future holds. What does the cybersecurity threat landscape look like? It was important for CISA to convene all federal agencies, take an opportunity to walk through what we experienced in 2023. Walk through the major incidents, the cybersecurity issues that we’ve been dealing with as a community and work toward an action plan, an operational alignment plan for us to think about what comes next. What’s in 2024?” Michael Duffy, associate director of CISA’s Cybersecurity Division, said on Federal Monthly Insights –Securing the Nation: A deep dive into federal security operations.

CISA is committed to working collaboratively with state and local governments, election officials and federal partners to manage risks to the nation’s infrastructure. The continued evolution of the Continuous Diagnostics and Mitigation (CDM) dashboard to help agencies improve how they manage their cyber environments  is also a priority, as well as the Secure Cloud Business Application (SCuBA), which ensures agencies are using a baseline of secure workplace and collaboration applications in the cloud.

“The concept of alignment is an important shift in the way that we’re approaching this,” Duffy said. “We designed an operational cyber enterprise plan, which identified all of the areas that we think the federal government, as an enterprise, should be focusing on improvement actions. We had fantastic feedback from [chief information security officers] and agency teams.”

In a survey of chief information security officers (CISOs) across government, one challenge that emerged for CISA was identifying what else is needed for success in the agencies.

“What we heard from agencies was these are bigger than the cybersecurity team,” Duffy said. “When we’re talking about advancing hardening Active Directory or advancing CDM into the next era of cybersecurity operations, this is more than just a small team of cyber practitioners can handle on their own. This is frankly more than the headquarters CISOs’ shop can handle on their own. This is truly something that will require a whole-of-government, whole-of-federated-agency approach to ensure that we’re successful.”

The known exploited vulnerabilities (KEV) catalog also stood out in the survey as a top priority. CISA recommended agencies monitor the KEV catalog and prioritize their vulnerabilities to reduce the chances of being exploited.

“That was eye opening to us. It meant that the binding operational directive was seeing success,” Duffy said. “We’ve seen decreases in the number of KEVS across agency enterprises, and I think that’s a really good place to be, as we’re talking about reducing the attack surface and moving into more strategic efforts like zero trust.”

CISA’s zero trust model is used a reference for agencies to create their zero-trust architecture. It seeks to inform agencies in ways to develop implementation plans where CISA can support and generate solutions.

“The federal zero trust managers community of practice is an important step forward for CISA. It was our way to convene all of those agency officials designated as their agency’s zero trust lead. It was important for CISA to say, as we operationalize the next step, the series of zero trust application maturity model, that we are able to convene that community, have a meaningful dialog and connect them with each other. This is a community where CISA isn’t always the one that has the right level of answer for an agency. They want to speak with their peers. They want to have an open discussion about their challenges. And we’re providing that,” Duffy told Federal Drive with Tom Temin. “We’ve coupled that with a training program where we are able to provide a standard baseline of understanding for these zero trust managers so they can go into these conversations using the same terminology, using the same approaches, and applying the same tricks of the trade, the way that the zero trust managers are considering this challenge at the enterprise level. We’re convening, we’re training, and we’re ultimately ensuring that the federal government has the workforce they need for zero trust and a sustained effort in zero trust for the long haul.”

CISA is also making progress in mobile app vetting (MAV), a service it’s provided to 15 agencies so far. The MAV identifies app vulnerabilities and potential risks, while also allowing agencies to make risk-based decisions.

“It’s a great resource that CISA is providing to allow a federal agency to say, ‘I’ve taken every step necessary to secure and configure an application that will ultimately be used by either federal government employees or the public,’” Duffy said. “Our ability to show value in the data that we collect centrally is paramount. I think that there is an understanding that CISA is primarily a partnership organization. We are working with these agencies to secure their environment as much as they are.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.