CISA, DISA are Focusing on Transparency to Secure Supply Chain
SBOMs and transparency are key to resilient cybersecurity models.
Large-scale vulnerabilities discovered in Log4j, SolarWinds and more have prompted federal cybersecurity leaders to “know what’s under the hood” of their applications, leveraging software bills of materials (SBOMs) to drive resiliency and security management.
“Log4j has really taught us that it’s not just enough to say, ‘well, my asset management knows this…’ We need to know what’s under the hood,” CISA Senior Advisor and Strategist Allan Friedman said at the Billington Cybersecurity Summit in Washington, D.C., Thursday. “SBOMs are saying ‘this software depends on this software, depends on this software. It’s a nice little tree. It’s a list of ingredients.”
SBOMs enable organizations to respond quickly, efficiently and cost effectively, driving cyber resiliency. DISA’s Hosting and Compute Center (HaCC) technical director Korie Seville said his agency is looking at cybersecurity in two parts: vulnerability patching and remediation.
“It’s transforming the way you look at security and transforming the way you look at vulnerability management,” Seville said. “There’s vulnerability patching, and how do we deal with that? Do we move more toward environment-as-code … [so] we can make these changes on the fly to secure our environment? That’s only one piece. The other piece is if someone’s in your environment, how do you respond? A lot of that is moving toward better security practices along with a zero trust model.”
DISA is focusing on DevSecOps to better secure its software and perform static analysis. Seville noted that historically DISA has been caught in a “reactive mode” or responsive vulnerability assessment after a breach or attack happens. The agency is pivoting to partnering with industry throughout the acquisition and procurement process to better understand the components and security within applications.
“Having that open line of communication between us helps us to mitigate problems faster, instead of waiting for a vulnerability notification to come out or waiting for a vulnerability scanner to pick it up,” Seville said.
President Biden’s executive order on Improving the Nation’s Cybersecurity requires agencies to move toward a high security model, referencing static analysis tools, multi-factor authentication and adopt SBOM. Friedman explained that these features will promote transparency and better define responsibility.
“Everything that we know that we need to do to detect and prevent those attacks starts with that level of transparency,” Friedman said.
Seville said that cybersecurity is on a sliding scale of responsibility between the agency and the vendor. Depending on the type of product, there should be a shared responsibility for risk between the provider and consumer. As government moves toward shared services, like commercial cloud platform providers, industry and government should work together to address and mitigate vulnerabilities.
“That true partnership is really going to be the key to securing those things,” Seville said.
“We’ve got a good group of individuals growing together here, and I think that put us on even better footing as we face down things like SolarWinds, Log4j and other threats that have come our way,” DOD CIO John Sherman said. “Looking at things like SBOMs … and other measures we need to take. It is a group responsibility.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOD Has a New Cyber Resiliency Assessment Program
Defense officials tout the continuous assessment feature and scalability of the new program amid increased cyber threats.
5m read -
Cyber Resilience and Recovery Amid Evolving Cyber Threats
Data durability is a key aspect of NIST’s cybersecurity framework for public and private organizations.
21m listen -
How TMF is Helping Agencies Accelerate Tech Modernization
The program launched a new AI pilot to expedite TMF applications as agency leaders urge more to consider applying for funds.
4m read -
Energy Researchers Aim For Holistic Approach to AI Issues
A new center at the Oak Ridge National Laboratory is looking at under-researched areas of AI to better understand how to secure it.
2m read