Agencies Pivot Cybersecurity Strategies to Meet New EO Requirements

Technology leaders at the Government Accountability Office (GAO), Department of Veterans Affairs (VA) and National Aeronautics and Space Administration (NASA) are bolstering cybersecurity strategies to meet cross-cutting federal cybersecurity goals.

Following President Biden’s Executive Order on Improving the Nation’s Cybersecurity, federal agencies reevaluated what it means to be “secure,” and implement new models like zero trust to take a more proactive approach on cybersecurity.

“We’re trying to move to a software-defined network access infrastructure. This is going to provide us with the micro-segmentation that we need, and it lays out a critical foundation as we move toward zero trust,” Mike Witt associate chief information officer for Cybersecurity & Privacy Division at NASA said during FedInsider’s Government Cybersecurity webinar.

Improving supply chain security is a top priority for NASA. The agency first started developing supply chain risk assessment capabilities in 2013, and created an Assessed and Cleared List to identify suppliers, components, products and services that have proactively undergone supply chain assessments and meet NASA’s implemented thresholds.

NASA also developed continuous monitoring for approvals to have real-time data on these assessments, should statuses change. Witt recommended other agencies develop a community of practice to share best practices and experiences, as well as common supply chain terminology to better understand supply chain standards, processes and procedures.

“This is important as you work across the inside of your organization,” Witt said. “You need to understand what that terminology is and how your processes work.”

Jennifer Franks, director of IT & Cybersecurity at GAO, said her agency integrated the EO’s terminology so it could effectively implement and understand the new requirements. Franks works to ensure other federal agencies have a “third party context” to Congress to highlight cybersecurity implementation progress as well as challenges.

“We work with Congress to understand how agencies are progressively improving, or not, and where some of those outliers are,” Franks said. “Bringing all of those stakeholders to that environment to understand what is needed to really be invested into this new zero trust architecture and the supply chain movements of your organization.”

Franks recommended agencies leverage the tools they have, like IT services, then streamline reporting requirements to align with the goals in the cybersecurity EO. Agencies also need to appropriately document cybersecurity costs, and develop a “risk-based budget projection” to help with planning and response efforts.

At VA, Gary Stevens, executive director for Information Security Policy and Strategy, said COVID-19 required his agency to leverage existing capabilities and expand upon them to meet the increased demand for secure virtual services to veterans.

“It helps put things in context, and then align it accordingly with some of the EO objectives,” Stevens said. “That’s been one of the major pushes that we’ve done to make sure that we’re making the most sense of what we already have, filling in the gaps where we need to, and then addressing it accordingly and moving forward.”

Looking ahead, Stevens sees the EO as a “gamechanger,” and said the VA will integrate the goals of the EO into its decision-making process.

“[The EO] really does propel the overall cybersecurity state across all the federal space. The ones that I think are really the most crucial in that realm are zero trust architectures and then what we’ll be able to do across cloud,” he said.