CMS, CISA Tackling Cybersecure Services

The White House’s recently established Office of the National Cyber Director will work with agencies to help them prioritize and apply Technology Modernization Fund (TMF) funding to high-value assets and external facing services such as health care. The office will also help agencies secure additional funding.

“I feel like the creation of that office, in combination with EO14028 [on improving the nation’s cybersecurity], is really going to help in highlighting this issue across all the agencies,” Valerie Cofield, CISA’s chief of strategy, policy and plans, said at GovCIO’s Women Tech Leaders event Thursday. “We’re hoping that spotlighting the budgetary shortfalls that are in these agencies as well as providing a fund to help with some of those gaps should be one step forward in this area.”

Cybersecurity can provide unique challenges at customer-facing agencies like the Centers for Medicare and Medicaid Services. CMS processes millions of user identities and personal private health data across its Medicare, Medicaid and HealthCare.gov marketplace services.

“What we’re working on right now with the implementation of zero trust architecture is taking the executive order and really tailoring it to CMS and tailoring it to some of our needs,” said CMS Digital Services Executive Director Andrea Fletcher at the event.

For example, Medicaid mostly serves people who are below the poverty line, which means that cybersecurity measures have to account for some customers’ limited access to technology.

“Often we’re trying to provide equitable security,” Fletcher said. “We have people who don’t have access to a phone or computer. So, how do we provide two-factor authentication if somebody doesn’t have a phone, right? That’s definitely a huge challenge for us.”

Services like the marketplace, which Americans typically interact with only once a year when they sign up for coverage, also bring about their own challenges when it comes to implementing zero trust principles. Over the course of a year, many people may change their name or address, or they get a new device. CMS has to match those individuals in their systems and make sure they are who they say they are.

CMS was one of the early recipients of the TMF, which provides funding for agencies to modernize their infrastructure and build in security.

“In the American rescue plan, there was a billion dollars that was dedicated to help improve cybersecurity,” Cofield said. “This billion dollars was put into the technology modernization fund, and really the goal of that fund is really to help replace these legacy systems and to modernize and put cybersecurity into the systems. But it’s hard, it’s complicated, and even though a million dollars sounds like a lot, it’s really just a down payment.”

The Office of the National Cyber Director will be working with agencies to help them prioritize TMF funding and also secure new funding, with a focus on high-value assets and external facing services. CISA’s National Risk Management Center works to identify what some of those high-value assets are.

“What we’re doing in our National Risk Management Center is really looking at those critical functions and trying to decompose them so that we can get to what we call our high-value assets and figure out, since we do have limited resources, how we can secure those,” Cofield said.

Cofield said that in the late summer or early fall CISA expects to release its baseline cybersecurity performance goals for the critical infrastructure sectors, which include health care and public health.

“Each sector has its nuances, and there probably will be things that need to be tailored, but we’re starting with a broad approach to raise the standard and the baseline standards across all critical infrastructure,” Cofield said.