GITEC 2018: Cybersecurity Can’t Be an Afterthought During IT Modernization

As agencies embark on IT modernization efforts and revamp legacy systems, they can’t forget about cybersecurity. As the White House IT modernization report makes clear, it must be a central element to modernization strategies.

Federal IT leaders have internalized this and know that there is always more to do to enhance cybersecurity as they upgrade their technology. Speaking on a panel at GITEC Summit 2018 in Annapolis, Md., on April 23, IT leaders said they are pushing ahead on cybersecurity on several fronts.

Rod Turk, acting CIO of the Commerce Department, said that agencies need to graduate to a “higher level of cybersecurity by baking in cybersecurity as you move forward” because “if you don’t and you try to bake it in later, it will cost more money and not be as effective.” Turk compared such efforts to a Winchester house, in which rooms are added later without any master plan.

“Don’t make cyber an afterthought,” Turk said. “You really have to know the architecture and you have to be in it.”

Several other officials on the panel noted efforts they are taking to improve cybersecurity. By the middle of May, each of the CFO Act agencies will feed their cybersecurity threat dashboards into a federal dashboard as part of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, according to Kevin Cox, program manager for CDM at the DHS. And the Small Business Administration is taking part in a pilot program to remake the Trusted Internet Connections initiative, which serves as a secure gateway between federal networks and external network connections, including connections to the internet.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

CDM Program Gets Revamped with More Dashboards

CDM, launched in 2013, allows agencies to monitor their IT systems and then respond almost instantaneously to vulnerabilities. The program enables agencies to prioritize the risks based on severity in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial off-the-shelf tools — hardware, software and services — that agencies can access via a central fund. The DHS runs the CDM program with the General Services Administration.

Last August, as Federal News Radio reported, the DHS and the GSA released the first new task order, called DEFEND (Dynamic and Evolving Federal Enterprise Network Defense), under the Alliant governmentwide acquisition contract. DEFEND replaces blanket purchase agreements that expire this August. The DHS and the GSA are taking bids from systems integrators to compete for task orders. The DEFEND task orders will allow the DHS and the GSA to issue requests for service for discrete kinds of cybersecurity work, including the cloud, access management, mobile and more.

Each of the CFO Act agencies has a dashboard in place that monitors cybersecurity threats detected by sensors on their networks and in their IT environments, Cox noted. Some agencies still need to deploy sensors. DHS now wants to ensure that the data generated by those sensors is as clean as possible for the federal CDM dashboard, which was deployed earlier this year.

The federal dashboard now has 12 of the 24 CFO Act agencies reporting into it, and the White House IT modernization report requires all agencies to do so by May 12. Cox said DHS is “on track” to achieve that goal.

From left: Kevin Cox, Guy Cavallo, Rod Turk, Bill Newhouse and Karen Evans discuss cybersecurity at the GITEC Summit 2018. Photo: Phil Goldstein

Once that happens, the agency will want to make practical use of the data, and the federal dashboard will be operationalized in the National Cybersecurity and Communications Integration Center, which provides 24/7 cyber situational awareness, incident response and management for the government.

The NCCIC will use the dashboard information whenever there is a major cybersecurity incident such as the WannaCry malware attack of 2017, Cox said. The NCCIC will use the dashboard to “scan across the federal enterprise” and determine which agencies may need to patch to guard against vulnerabilities.

The DHS is also working with smaller, non-CFO Act agencies to deploy a shared service that will provide them with a CDM dashboard. The shared service received authorization at the end of March, Cox said. The DHS is working with the first four smaller agencies, which Cox declined to name, to get sensors deployed so that data can be fed into the multitenant dashboard. By the early summer, the DHS expects that to begin feeding into the federal dashboard.

TIC Program Will Get an Upgrade

Agencies have complained that the TIC program inhibits their cloud migration efforts, and the White House and DHS want to revamp it. Guy Cavallo, the deputy CIO of the Small Business Administration, noted during the panel that the SBA has been selected as one of the agencies to conduct pilot projects to see if there are ways to modernize the TIC.

By June 11, the SBA will be done with the pilot and will release a report with its recommendations, Cavallo said.

Jack Wilmer, senior policy adviser for cybersecurity and IT modernization in the White House’s Office of Science and Technology Policy, spoke separately at GITEC and said that the Census Bureau is conducting a pilot. The goal, he said, is to update the TIC reference architecture to find better ways of connecting to commercial clouds.

If the pilots prove successful, Wilmer said, the TIC reference architecture will be updated following an evaluation from the DHS, the GSA and the Office of Management and Budget. That will then allow other agencies to make use of the new approaches, he said.

For our all of our articles from the conference, check out FedTech’s coverage of the GITEC Summit 2018 here.