Six months after President Joe Biden issued an executive order designed to improve U.S. cybersecurity, the administration is working with federal agencies to ensure that they’re able to fulfill the guidelines outlined in the document.
“We built these policies as a roadmap, a maturation formula to show that agencies can grow into this,” said Steven McAndrews, director of federal cybersecurity in the Office of Management and Budget, speaking at Imagine Nation ELC 2021. “We’re looking forward to coming up with logistical timelines and metrics to assess success properly.”
Treating the EO as a directive rather than a strict requirement also provides agencies with “time for funding to align with their needs,” he added.
The fact that OMB is not requiring specific achievements in specific ways by specific deadlines makes the massive job somewhat simpler for agencies, said Steven Hernandez, CISO for the Department of Education and director of the agency’s information assurance services.
“It lets us focus on the big concepts that we need to secure the agency,” Hernandez said. “The EO is somewhat terrifying, because it’s a lot of work, but it’s refreshing to see how [executive agencies] are coming together to support us.”
Click the banner below to follow FedTech’s coverage of Imagine Nation ELC 2021.
Shared Services Assist the Implementation of Zero Trust
The executive order, issued on May 12, requires agencies to adopt security best practices, including implementing zero trust architecture; securing cloud services; using data to analyze cybersecurity risks; and adding the correct technology and number of workers to achieve these goals.
Hernandez noted that many agencies, including his own, already have security capabilities in place. “Maybe they’re not agencywide or fully mature, but at least you’re not starting in a position where it’s all new,” he said.
He was enthusiastic about the possibility of using shared services to accomplish DOE’s goals, which include more secure login methods for remote workers. One shared service in particular — the General Services Administration’s Login.gov — can get agencies a step closer to a zero-trust environment.
“Zero trust may eliminate the need for VPNs,” Hernandez said, and that would cut down on the number of times people have to log in to the network to access their work. “We’re going to start eliminating these duplicative logins. People reuse passwords and usernames. Zero trust gives us a way to get rid of that.”
Click the banner below to get access to a customized content experience and exclusive articles.
TMF Money Creates a ‘Jolt’ for Cash-Strapped Agencies
Funding these changes will always be an issue, especially given what GSA administrator Robin Carnahan, in a separate ELC session, called “the disconnect between how government procures technology products and the speed of need.”
The dramatic increase in money available through the Technology Modernization Fund — $1 billion today, compared with $150 million when the TMF began four years ago — provides agencies with a new way to obtain the cash needed to comply with the executive order.
“The TMF has made a dramatic difference in how we’ve been able to fund security in the federal space,” McAndrews said. “A year from now, we’ll be light-years ahead with that jolt of funding from the TMF.”
DOE handles a large amount of sensitive personal data, including information necessary to award financial aid to college students. The agency was awarded $20 million under the new TMF in September to create a zero-trust architecture.
Hernandez said that in order to achieve mature zero trust with regular internal funding, the job would take about five to seven years. With TMF money, he said, “we can do it in two.”
Follow FedTech coverage for more articles from Imagine Nation ELC 2021.