Many federal agencies accelerated their shift to cloud services at the beginning of the COVID-19 pandemic due to increased telework, but some weren’t prepared for the accompanying security challenges.
“Plenty of federal agencies had established processes and procedures, but the majority had to refine what those look like and acquired new software technologies,” said Government Accountability Office Director of Information Technology and Cybersecurity Jennifer Franks at a GovExec event last week. “Most were not prepared overnight to go from a few percent working from home to maximum percent.”
Even though CISA, OMB and NIST quickly released telework security guidance for federal agencies, agencies still compromised some aspects of their cybersecurity as they rushed to set up telework capabilities.
“There are additional cybersecurity risks from managing inside your network to helping to secure your facility from inside homes across your agency where everyone may live — a lot of federal agencies do have policies in place for employees to use network devices, but no one wanted their services or missions to be delayed, so there were policies and procedures that were redefined and reestablished,” Franks said.
Franks observed another trend during the pandemic: federal agencies using CARES Act funds to ramp up their IT infrastructure modernization. The Department of State, for example, used some of their funds from the CARES Act to support cloud migration.
“A lot of agencies have plans, long-term plans, to provide some of their services and migrate some of their IT platforms to the cloud, but COVID-19 accelerated this effort as well,” she said, highlighting collaborative efforts with the Department of Health and Human Services such as a working group with the HHS Assistant Secretary for Preparedness and Response (ASPR). “Members are all at the state, local, tribal and U.S. territorial level, so they're bridging everyone in this work group to come and share their information. They are communicating, they are sharing what they have, what they know, and they are collaborating.”
Chris Kubic, CISO at Fidelis Cybersecurity, said he sees private companies exploring zero trust architecture to boost telework security in addition to complying with CMMC and the NIST Cybersecurity Framework.
“[Zero trust] can do a better job of dealing with access where the risk is very variable,” Kubic said. “I think the challenge is how do you ensure there is actual true compliance with those standards.”
Due to the COVID-19 pandemic’s impact on cybersecurity, Franks thinks the Biden administration will create new positions to handle the growing scope of cybersecurity, from telework considerations to the information and communications technology (ICT) supply chain.
“We have many, many, many findings that say, hey, [ICT supply chain] is a problem,” she said. “There are thousands of recommendations over the last couple decades. We go into agencies and say, hey, your information security programs have improvements, but weaknesses and deficiencies still exist.”
More funding for IT modernization and cybersecurity efforts could help, she added.
Biden’s $1.9 trillion stimulus package includes $10 billion for IT modernization and cybersecurity needs at federal agencies. Of that $10 billion, $9 billion will go to CISA and the GSA, $200 million will go to hiring IT and cybersecurity professionals to narrow the stark cyber workforce shortage, and $690 million will go to incident response and continuous monitoring of government networks.
Regardless of how much funding federal agencies receive for IT, Franks emphasized shifting from a reactive to a proactive approach to cybersecurity, especially during the telework era.
“[Reacting] — the government has a bad habit of doing that,” Franks said. “A good data security strategy is one that is more proactive and not just reactive. You could apply cyber and data security upfront to be preventive. If you implement strong access controls to protect confidentiality at your first step, there's going to be plenty of facets for building a strong cybersecurity program.”