President Biden’s recent fiscal 2022 budget request “contains $9.8 billion in cybersecurity funding to secure Federal civilian networks, protect the Nation’s infrastructure, and support efforts to share information, standards, and best practices with critical infrastructure partners and American businesses. This funding includes $110 million for the Cybersecurity and Infrastructure Security Agency (CISA) and $750 million to agencies affected by recent, significant cyber incidents to address exigent gaps in security capability.”
The challenges of bolstering federal cyber security through that spending, however, are exacerbated by the fact that federal government departments, agencies and subagencies all run their own IT systems. Even within an agency/subagency, internal business units often run their own IT systems as well.
And confusing the picture further, many federal IT systems are hosted by contractors or in third party colocation data centers, maintained by application development contractors, and/or increasingly hosted by Cloud Service Providers (CSPs). Which also means that agency IT and Security staff often don’t have access to those systems, let alone Department of Homeland Security (DHS) or Cybersecurity and Infrastructure Security Agency (CISA) staff.
On the positive side, it is worth noting that civilian federal IT systems being operated by these agencies and contractors are already subject to system architectural standards and security controls via the Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology, and the Federal Risk and Authorization Management Program (FedRAMP) for CSPs (note that additional standards and requirements are coming via the Presidential Executive Order on Improving the Nation’s Cybersecurity). In addition, there are some advantages to having such a fragmented, decentralized, and disconnected group of federal IT systems in that there is a high degree of network segmentation between them that means malicious software and intruders cannot easily move between government systems and networks.
Another thing to consider is the federal government is now a major consumer of a third-party cloud Software-as-a-Service (SaaS) solutions, especially for functions like email via Microsoft 365 services, which DHS or CISA don’t appear to have direct insight into the infrastructure. Fortunately, SaaS tenants do have access to file- or service-level security logs at least; for example, NHA uses MS365 APIs to pull event logs into Splunk for SaaS event log monitoring, reporting and alerting.
It is worth noting that there is some existing level of integration of civilian federal IT systems security with DHS or CISA. Using the Centers for Medicare & Medicaid Services (CMS), that NHA provides security oversight on the Medicare Secondary Integration Contractor (MSPIC) for as an example, CMS participates in the continuous diagnostics and mitigation (CDM) program run by DHS, which is an informational feed of event and asset data from agency on-premise and cloud-hosted systems to DHS.
So, the approach to federal IT security is currently a “bottom-up” approach where each system is built, secured, authorized and maintained by the agency/business unit in question, with informational data feeds up to DHS. The key, then, is using the funding effectively in a “top-down” approach to proactively securing systems.
Some examples of single, federal government-wide centralized services that the funding could provide are:
Security Operations Center (SOC)
Penetration testing services
Bi-directional threat intelligence feeds
Active threat hunting teams
Security Automation Frameworks
Cross-agency pools of cyber security personnel
IT Modernization services and resources
On a final note, perhaps the biggest challenge of all is that, in the world of cyber security, it is easy to spend money on products and services without being able to measure their effect on an organization’s risk posture. So, while the additional top-down funding from congress is welcome, one suspects an education on how this money should be spent is required for politicians and agencies alike. Whether public or private, modern organizations must look for vendors, contractors, consultants etc. that can deliver measurable outcomes rather than “bill-of-goods” type solutions.