Between the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and the Office of Management and Budget, 49 of the 55 requirements in President Joe Biden’s order aimed at safeguarding federal IT systems from cyberattacks have been fully completed. Another five have been partially finished and one was deemed to be “not applicable” because of “its timing with respect to other requirements,” per the GAO.

“Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected,” the GAO stated. 

Under the order’s section on “removing barriers to threat information,” OMB only partially incorporated into its annual budget process a required cost analysis.

“OMB could not demonstrate that its communications with pertinent federal agencies included a cost analysis for implementation of recommendations made by CISA related to the sharing of cyber threat information,” the GAO said. “Documenting the results of communications between federal agencies and OMB would increase the likelihood that agency budgets are sufficient to implement these recommendations.”

OMB also was unable to demonstrate to GAO that it had “worked with agencies to ensure they had adequate resources to implement” approaches for the deployment of endpoint detection and response, an initiative to proactively detect cyber incidents within federal infrastructure. 

“An OMB staff member stated that, due to the large number of and decentralized nature of the conversations involved, it would not have been feasible for OMB to document the results of all EDR-related communications with agencies,” the GAO said.

OMB still has work to do on logging as well. The agency shared guidance with other agencies on how best to improve log retention, log management practices and logging capabilities but did not demonstrate to the GAO that agencies had proper resources for implementation. 

CISA, meanwhile, has fallen a bit short on identifying and making available to agencies a list of “critical software” in use or in the acquisition process. OMB and NIST fully completed that requirement, but a CISA official told the GAO that the agency “was concerned about how agencies and private industry would interpret the list and planned to review existing criteria needed to validate categories of software.” A new version of the category list and a companion document with clearer explanations is forthcoming, the official added. 

CISA also has some work to do concerning the Cyber Safety Review Board. The multi-agency board, made up of representatives from the public and private sectors, has felt the heat from members of Congress and industry leaders over what they say is a lack of authority and independence. According to the GAO, CISA hasn’t fully taken steps to implement recommendations on how to improve the board’s operations. 

“CISA officials stated that it has made progress in implementing the board’s recommendations and is planning further steps to improve the board’s operational policies and procedures,” the GAO wrote. “However, CISA has not provided evidence that it is implementing these recommendations. Without CISA’s implementation of the board’s recommendations, the board may be at risk of not effectively conducting its future incident reviews.”

Federal agencies have, however, checked off the vast majority of boxes in the EO’s list. “For example, they have developed procedures for improving the sharing of cyber threat information, guidance on security measures for critical software, and a playbook for conducting incident response,” the GAO wrote. Additionally, the Office of the National Cyber Director, “in its role as overall coordinator of the order, collaborated with agencies regarding specific implementations and tracked implementation of the order.”

The GAO issued two recommendations to the Department of Homeland Security, CISA’s parent agency, and three to OMB on full implementation of the EO’s requirements. OMB did not respond with comments, while DHS agreed with GAO recommendations on defining critical software and improving the Cyber Safety Review Board’s operations.

The post Cybersecurity executive order requirements are nearly complete, GAO says appeared first on FedScoop.

Speaking Tuesday at the Google Public Sector Forum, presented by Scoop News Group, Chris DeRusha, federal CISO and White House deputy national cyber director, noted that government authorization and assessment processes will be especially important when it comes to AI procurement.

“How do we ensure that we have an agile way of assessing the appropriate tools for government use and government-regulated data types? We can’t not do that,” DeRusha said. 

“We understand everybody’s really wanting to jump into the latest tools. But look, you know, some of these companies aren’t fully vetted yet, they are new entrants, and we have to ensure that you’re responsible for protecting federal data,” he added.

DeRusha said the government has “to go full bore in learning how to use this technology because our adversaries will do that.” To that end, the Biden administration last week released a database on AI.gov detailing hundreds of AI use cases within the federal government. 

Having that database should enable agencies to better drill down on specific AI applications, perform tests, launch pilot programs and ultimately see where the government can get “maximum benefit.” DeRusha cited better safety outcomes in transportation agencies as one possibility. 

And while “unintentional misuse” of AI worries DeRusha, ultimately the “benefits are so positive” for federal agencies when it comes to the technology.

Also top of mind for DeRusha is the implementation of the Biden administration’s National Cybersecurity Strategy, which was released in March, and the White House’s National Cyber Workforce and Education Strategy, published in July. 

DeRusha touted the benefits of having public-facing plans that note agency-specific responsibilities, quarterly targets and other details, essentially serving as a check on government officials to hold “ourselves accountable to ensure that we’re really making progress on all these things.” 

And after “decades of investments in addressing legacy modernization challenges,” DeRusha said now is the time for the government to prepare for “massive” long-term challenges, including, for example, those related to AI and the White House’s Counter-Ransomware Initiative, which now involves “almost 50 countries.”

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

The post Federal CISO says White House targeting AI procurement as part of conversation on looming executive order, guidance appeared first on FedScoop.

This proposed rule would amend the Federal Acquisition Regulation (FAR) to include minimum requirements for cybersecurity contracts that involve federal information systems instead of leaving it up to agencies to set those requirements, according to a Tuesday notice in the Federal Register.

The contract requirements will differ for cloud-based and on-prem systems, which is outlined in the notice. Once the new requirements take effect, agencies would need to update their own requirements to remove any rules that are duplicative — but they could still require any additional rules that go beyond the baseline updates provided in the new FAR language.

Currently, the cybersecurity requirements for such contracts are based on agency-specific policies, which introduces risks including inconsistent security requirements across contracts, additional costs and restricted competition. 

“By standardizing a set of minimum cybersecurity standards to be applied consistently to [federal information systems], the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the notice states. 

This change is a direct measure called for in the Biden administration’s landmark 2021 cybersecurity executive order. That required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to review agency-specific cybersecurity requirements from across the government and then to “recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements” that would be proposed publicly for comment.

The notice Tuesday calls for the government to improve its efforts to identify, deter and respond to cyber threats while also ensuring that products are built and operated securely for a safer cyberspace. 

“In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced,” the notice states. 

It also highlights the recent explosive growth of malicious cybersecurity activity, adding that the threats that the nation faces are costly and predicting that with threats continuing to grow, it could cost $1 trillion over the next decade.

In 2018 the Council of Economic Advisors found that malicious cybersecurity activity cost the national economy somewhere between $57 billion and $109 billion. The administration in the notice also acknowledged that the cost of a single cyber incident to an individual company “can be crippling.”

“It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines,” the notice states.

Comments on the proposed rule will be accepted through Dec. 4.

The administration on Tuesday also issued a separate proposed rule to revise the FAR to increase information-sharing on cyber threats and incidents with technology providers.

The post New rule would set governmentwide cyber standards for contracts involving federal information systems appeared first on FedScoop.

Speaking Thursday at the Zero Trust Summit, hosted by CyberScoop, Chris DeRusha noted that the White House had seen significant advances over agencies’ approach to sharing systems data and urged further progress.

He said: “We need this folks, we need it. Because if we can’t know what’s happening in these networks, we can’t know how the bad guys move around. We can’t know when they’re gone.”

DeRusha added: “I’m excited … I know it’s a hard one. But you know what else it’s doing? It’s helping us with centralization. It’s moving the ball forward because it’s forcing around specific things, specific projects to get all the federated components to be working together towards the common goal of getting them data in one place, so we ourselves together.”

Logging, log retention and log management requirements for federal government agencies were included in section eight of the May 2021 Cybersecurity Executive Order issued by the Biden administration in the wake of the SolarWinds attack.

The guidance, contained within the EO, focused on ensuring centralized access and visibility for the highest-level enterprise security operations center of each federal agency, and was followed by a memorandum instructing agencies to increase the sharing of relevant information.

The White House in that memo included a maturity model for event log management intended to guide agencies’ implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.

Speaking at the event, DeRusha said he understood the costs associated with log management, and that over time the White House will continue to fine tune logging requirements for agencies. 

The post Federal CISO hails improving federal agency log management appeared first on FedScoop.

Speaking Tuesday at ACT-IAC’s Imagine Nation ELC, Sonny Hashmi called for work to pinpoint code with national security implications to begin, even as certain critical software definitions continue to evolve.

He said: “[I]t’s important for us to start to think about what parts of our product suites — many of the products that your companies build and make available — are considered critical software. 

“That definition is not always clear, although NIST has done an incredible amount of work to start defining what critical software looks like, but we have to be very thoughtful about what that critical software is. It’s the equivalent of the critical infrastructure that we rely on in our society.”

The procurement leader added: “This software is embedded at the network level; it has elevated access. We rely on that software to keep us secure and keep us operating. We need to make sure that we start with that sub-set of software first. Make sure that we put all the right eyes on that and then scale it to other categories of software.”

Hashmi’s comments come as GSA, NIST and CISA lead work across federal government to provide clearer cyber supply chain guidance to vendors.

Following new cybersecurity guidelines issued last month by the Biden administration, CISA is working with the Office of Management and Budget to create a “common form” that U.S. departments will use to show that software vendors have attested the technology they are selling to the government meets NIST security guidelines.

Under that new guidance from OMB, federal departments must ensure that all third-party IT software deployed adheres to NIST supply chain security requirements and get proof of conformance from vendors.

Following the cybersecurity executive order, issued by the White House in May 2021, NIST published an initial, wide-ranging definition of critical software.

The post Pinpointing critical software key to supply chain security, says Federal Acquisition Service leader appeared first on FedScoop.

Speaking Thursday, Chris DeRusha said the executive branch agency is focused on introducing measures that will codify long-term cultural change, such as listing costs associated with the cybersecurity approach as a specific budget line item.

“That gives the resource management side something easy to deal with,” the cybersecurity leader said, speaking at the CyberTalks conference presented by CyberScoop.

DeRusha added that obtaining further clarity on agencies’ zero-trust spend is key to ensuring long-term adoption of zero trust.

Memorandum M-22-09 was issued in January this year to provide a roadmap for the implementation of zero trust by 2024. The document included concrete requirements relating to multi-factor authentication, DNS request encryption and the segmentation of network perimeters.

At the time, the order was intended to provide an initial starting point for the cybersecurity approach, and to provoke the adoption of more comprehensive strategies at federal departments.

The order identified top cybersecurity priorities, including the consolidation of agency identity systems and treating all internal networks as untrusted. The latest plan moves agencies further towards fulfilling the requirement included in the Cybersecurity Executive Order issued last May by President Biden.

“We didn’t seek to write the pure end-state document for zero trust,” DeRusha noted.

The post White House has moved to zero trust implementation phase: Chris DeRusha appeared first on FedScoop.

Speaking during an ACT-IAC webinar Thursday, USDA CISO Ja’Nelle DeVore said the department wasn’t directly affected by the SolarWinds vulnerability but did experience an ancillary attack prompting it to seek funding for threat monitoring, detection and response capabilities.

The SolarWinds breach compromised nine agencies and left more vulnerable for nine months before it was discovered in December 2020. In its aftermath, USDA realized it needed new software tools to bolster its cyber posture and implement a zero-trust security architecture.

“We identified a gap there, and one of the reasons I understand that we were approved for that funding was because we were specific in: OK, it’s great to reach out and say we need money for a tool, but hey we have a gap in our processes that we don’t have the funding to address,” DeVore said. “So we went ahead and applied for it.”

The project is ongoing, as is USDA’s effort to have its security operations center (SOC) certified and made available to other agencies as a shared service. That SOC-as-a-Service offering remains a few years away, DeVore said.

USDA already had the Department of Homeland Security independently evaluate its SOC and make recommendations to mature it.

“They did give us a really good independent assessment and also a really good roadmap to completing some of the findings and remediating some of those findings,” DeVore said.

USDA is also considering developing a blue team, or a protective cybersecurity team, but it’s “challenging” to have to regularly reprioritize cyber requirements whenever the Cybersecurity and Infrastructure Security Agency issues a new directive or an audit comes out, DeVore said. 

USDA stood up an integrated project team (IPT) composed of different mission areas, enterprise architects and cyber staff to manage implementation of the more than 140 requirements in the 2021 Cyber Executive Order and subsequent guidance. The IPT is an agile approach for addressing the five pillars of the Federal Zero-Trust Strategy simultaneously, which USDA intends to complete by 2024, DeVore said.

When the requirement that agencies develop contract language addressing cyber supply chain threats came down, USDA was able to loop its acquisition team into the IPT. The agency developed use cases for different requirements in the executive order.

Aside from its Technology Modernization Fund project, USDA has been able to accomplish this work within its current budget.

“At this point, we haven’t really reached out for a lot of money,” DeVore said. “But I do imagine, as we move down the path for implementing the executive order and zero trust, we will need additional funding.”

The post Cyberattack led USDA to seek $4.4M from TMF for threat monitoring appeared first on FedScoop.

The National Oceanic and Atmospheric Administration is exploring multi-factor authentication beyond its network as it looks to strengthen cybersecurity in accordance with the federal zero trust strategy, according to its chief information officer.

Zach Goldstein told FedScoop his agency already requires Common Access Cards (CACs) and personal identification numbers to authenticate to its network but continues to perform comparative analyses of multi-factor authentication (MFA) solutions for applications and devices.

“We’re looking at things other than CAC cards, things that are intelligent tokens — that know who I am, that can exchange certificates with a certificate server, that can be easily revoked, that can have multiple kinds of privileges,” Goldstein said.

Goldstein added that cybersecurity is his “first priority,” in keeping with the White House’s Cybersecurity Executive Order issued in May 2021, and that he hopes to select a token for app and device authentication by the second quarter of fiscal 2023.

NOAA is also increasing supply chain risk assessments of Software as a Service — looking not only at the firm but what they buy and use for services — under Goldstein, who’s been with the agency 17-and-a-half years and CIO since 2015.

Goldstein wants to expand NOAA’s use of the cloud in a way that further improves the agency’s cyber posture while shedding light on how migration is progressing.

“We have an initiative to create a Cloud Program Management Office (PMO), one of whose jobs will be to provide me and NOAA leadership with that answer,” he said.

Assuming the funding for the office within the president’s fiscal 2023 budget stands, Goldstein hopes to launch it by the end of that fiscal year.

According to Goldstein, NOAA was the second federal agency to move its email and calendar to a public cloud, Google Apps for Government, in 2011, and since then the agency has migrated websites, help desk ticketing and global device management.

“It became very clear that we needed to have more discipline going to the cloud and more efficiencies because people were duplicating each other by having to learn how to do a security evaluation of going to the cloud, learn how to authenticate to the cloud, figure out how to communicate and get my data to the cloud,” Goldstein said. “And they were also using different contract vehicles.”

The CIO agreed to authorize NOAA offices’ migrations with the expectation that once his team implemented centralized cloud services streamlining and lowering the cost of the process, they’d use those instead.

NOAA now offers a standard way of getting to the cloud; authenticating using its identity, credential and access management (ICAM) service; and contracting with the three large service providers — Google, Amazon and Microsoft — and others. The Office of the CIO’s Cyber Division evaluates cloud offerings once for universal use across NOAA, accelerating offices’ migrations, but the Cloud PMO will make it so they don’t have to consult separate experts for each step in the process.

A Cloud PMO will also help offices take advantage of NOAA Open Data Dissemination (NODD), which allows for “extremely inexpensive” egress to the public, Goldstein said.

The White House proposed a large funding increase for the Office of Space Commerce in its fiscal 2023 budget, which if accepted by Congress would elevate it to a staff office receiving IT support from the OCIO. 

Goldstein expects to indirectly advise on, provide perimeter security for and oversee the cloud-native Open-Architecture Data Repository, which processes tracking data on space objects to predict and assess risk of collision. This information will improve space situational awareness for commercial and civil space operators. A requirements analysis is ongoing, so the operational cost hasn’t been calculated yet.

“Because the cloud is available and they know how to do it, we know how to do it — we’re going to help the Office of Space Commerce with this — they’ll be able to get that capability in the hands of the world faster,” Goldstein said.

The cloud is also freeing up NOAA’s IT professionals — previously stuck patching, scanning and performing domain controller work — to improve weather forecasting model accuracy and speed.

Supercomputing improvements that continue to be made by NOAA have increased capacity for forecasting three times over and should lead to 30% growth in research computing by the end of 2022, but research and development could benefit from even more, Goldstein said. The agency’s objective is to get enough capacity to perform all NOAA research, and enable focusing these applications down to what should be operationalized.

“We’re not there yet,” Goldstein said. “But we’re getting closer.”

The post NOAA evaluating multi-factor authentication for apps and devices appeared first on FedScoop.

Speaking at the ATARC Zero Trust Summit on Tuesday, the Cybersecurity and Infrastructure Security Agency’s senior cyber architect said the group — chartered under the Federal Chief Information Officer (CIO) Council — meets about once a month to discuss how agencies are moving forward in spite of tight budgets.

The CIO Council has multiple working groups in addition to four principal committees. Working groups must be approved by the council’s executive committee, have a clearly defined scope and goals and deadlines for the completion of deliverables.

Ever since the White House issued the Cyber Executive Order in 2021, requiring agencies to submit zero-trust security architecture implementation plans, CIOs and chief information security officers have expressed concerns the money isn’t there.

“We are starting to see agencies receive funding toward zero trust initiatives,” Connelly said.

A voting member on the Technology Modernization Fund Board, he pointed out that the U.S. Agency for International Development was awarded $5.6 million Aug. 3 to accelerate its transition to a new identity, credential and access management (ICAM) solution.

USAID now estimates more than 50% of users will be onboarded to the passwordless technology by fiscal 2024.

“TMF funding will allow USAID to accelerate its zero trust initiative across an anytime, anywhere organization of over 13,000 end users worldwide, improve customer experience, and reduce mission risks as it helps execute the administration’s foreign assistance and development priorities,” said Paloma Adams-Allen, deputy administrator for management and resources, in the announcement.

Other avenues agencies have for cost-effective implementation of zero-trust security include CISA’s Federal High-Value Asset program, which helps them protect their most sensitive data, as well as Trusted Internet Connection (TIC) 3.0 overlays.

Connelly manages the TIC program, which provides agencies with modern security architectures for protecting their IT environments through use cases complementing the five pillars of the Zero Trust Maturity Model. TIC overlays let cyber vendors map their services to the program’s capabilities.

Vendor assistance is also key to modernizing the Federal Risk and Authorization Management Program (FedRAMP), which the TIC team coordinates with and has seen an increasing number of cloud services authorized to use the most sensitive, unclassified data.

“We’ve seen a number of FedRAMP High baselines have started to be accelerated as agencies are moving some of the most sensitive data to the cloud,” Connelly said. “It’s critical that the vendors are able to provide these types of services to help the agencies as they move to TIC 3.0 and [Secure Access Service Edge]-type solutions.” 

CISA, together with the Office of Management and Budget and U.S. Digital Service, continues to review agencies zero-trust security architecture implementation plans to understand their needs and gaps, as well as challenges across agencies.

That information is relayed to the CyberStat working groups that CISA hosts once or twice monthly for about 600 federal officials and contractors to discuss implementing the pillars of zero trust: identity, devices, networks, applications and workloads, and data.

“I think we’re helping agencies move forward as well as we can,” Connelly said.

The post Federal CIO Council working group addressing zero trust funding challenges: CISA cyber official appeared first on FedScoop.

Requirements will emphasize Cloud Smart objectives and cybersecurity supply chain risk management (C-SCRM) in keeping with the National Institute of Standards and Technology guidance and Cyber Executive Order.

GSA intends the Ascend blanket purchase agreement (BPA) to streamline agencies’ acquisition of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Anything as a Service (XaaS), and related IT services that are unavailable under the Multiple Award Schedule or governmentwide acquisition contracts by leveraging their common cloud requirements.

“Integration of these requirements, along with zero-trust architecture principles, will reduce the risk of evolving threats; mitigate impacts of negative cybersecurity incidents; and ensure the confidentiality, integrity and availability for customers’ cloud solutions,” reads the draft performance work statement.

Baselines will include use of DevSecOps, continuous integration/continuous deployment, minimizing downtime, meeting emerging needs, and conservation of resources.

Under Ascend, cloud providers will be responsible for obtaining and maintaining Federal Risk and Authorization Management Program authorizations for their solutions at the appropriate levels. GSA will determine if independent cyber assessments and evaluations warrant the suspension or termination of Ascend awardees and share those recommendations with Department of Defense Cloud Authorization Services or FedRAMP, which can suspend or terminate authorizations.

The Ascend BPA will consist of three primary pools and a growing number of subpools on-ramped to account for new capabilities and technologies.

Pool 1 covers IaaS and PaaS solutions with unclassified and classified subpools, Pool 2 SaaS solutions and Pool 3 cloud IT professional services.

The Ascend BPA is part of GSA’s Cloud Marketplace vision that envisions agencies implementing their own cloud acquisition strategies.

GSA hasn’t determined award dates but plans to release more information via eBuy and SAM.gov once interested vendors respond to its request for information by 5 p.m. EST on Aug. 8, 2022.

The agency wants the Ascend BPA to offer an open source experience.

“This will enable full data accessibility, ownership and portability for the government, and facilitates a government model for the reuse of common applications that would function across multiple agencies,” reads the performance work statement.

The post GSA to set baseline requirements for cloud providers through Ascend appeared first on FedScoop.