The Department of Homeland Security is in the process of setting up a supply chain risk management office to report to the chief information security officer, DHS CIO Eric Hysen told GovernmentCIO Media & Research.
The move comes in direct response to the SolarWinds software supply chain breach in December 2020, which affected critical infrastructure and numerous federal agencies and brought IT supply chain risks came to the forefront of the national cyber conversation.
Cybersecurity is his “first and foremost” priority as CIO, Hysen said, and the new supply chain risk management office is “in the works” with a team working on “piloting efforts.”
Some potential priorities of the new office could be to incorporate a “software bill of materials” to keep track of every single piece of software in a supply chain. The idea of an SBOM is gaining traction in federal IT and cybersecurity conversations.
An SBOM is especially attractive to DHS, Hysen said, because “there are not a lot of standards” for critically assessing software vendors.
“As we look at specifically addressing the SolarWinds breach, we're looking at better evaluating the security of off-the-shelf software and using on our network or giving access to our data,” Hysen told GovernmentCIO Media & Research. “This is a relatively new area and one we're looking to be an aggressive early adopter in.”
Hysen is also interested in a DHS-tailored version of the Defense Department’s Cybersecurity Maturity Model Certification standards, but wants to be mindful of the effect these types of standards could have on small, minority-owned, and women-owned businesses, some of which he said have some of the most innovative and modern cybersecurity practices.
“We're looking at what DOD has been doing with CMMC and looking at different ways to pilot similar efforts at DHS to better assess the cybersecurity practices of our vendors,” he said. “We have some elements in our Homeland Security Acquisition Regulations that may look a little different from DOD, but we're really mindful of one not putting undue burden on our vendors. If it becomes too difficult to work with DHS, we're going to lose really innovative or small and minority- and women-owned businesses.”
One of the first initiatives Hysen launched when he assumed the CIO role in February was the Zero Trust Action Group to share best practices for implementing a zero trust approach to cybersecurity across DHS components.
“Thankfully zero trust is something DHS has been working on for quite a while ... it's a fundamental rethinking of our approach to cybersecurity,” Hysen said. “We're moving from this outdated criminal defense model where if we have the right defenses at the edge of our network, we don't have to be concerned about what goes on inside. We consistently see from sophisticated breaches that's not how our adversaries work."
Hysen noted some of the early work in this regard has been to stand up cloud access security technologies and gateway systems for remote employees.
President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity “turbocharged” zero trust efforts at DHS, Hysen added.
“The [executive order] is incredibly exciting, probably the most comprehensive reimagining of federal security and IT ever,” he said. “In the areas of zero trust, it's work we've already been doing. One deliverable due this week is our 60-day report on some items including our zero trust action plan across the department. Thankfully these are things we've already been doing. The [order] has been a strong signal of priority for this work.”
Although cybersecurity is “first and foremost” among Hysen’s CIO priorities, data interoperability between components across the department is also important. A few months ago, Hysen stood up a new data operations office to support this effort.
“We made some good progress in standing up a dedicated office under my office [for data],” he said. “While it's something we have the impetus to do, it's deeply tied to DHS' mission.”
The purpose of the office is to strike a middle ground between letting components “do their own thing” and not over-centralizing data collection and dissemination.
“One of the reasons we were stood up as a department was to facilitate information-sharing following lessons learned after 9/11,” Hysen said. “We want to have an office at the department level and undertake some initiatives like a department-wide inventory so we have visibility into what's going on across the department, but structuring that work around a set of data domains that cut across components but are not as broad as the department as a whole. We might see ICE, USCIS, CBP developing an approach in the immigration domain that looks very different from TSA and Intelligence & Analysis in the counterterrorism domain. And that's by design. We're hoping the new team and the new office will expand their focus into providing more tools and resources for the components.”
A major data interoperability focus is streamlining the “handoff” of data between CBP, ICE and USCIS regarding the immigration process. Each component has a part to play in facilitating legal immigration, resulting in lots of back-and-forth communication and data transfer.
Hysen previously worked at USCIS during the Obama administration, where he helped launch USCIS’ Electronic Immigration System (ELIS). This prior experience gives him deeper insight into some of the interoperability issues facing the immigration-focused components.
“[We want to get] noncitizens and unaccompanied kids out of unsafe conditions as quickly as possible and allow law enforcement officers to spend less time filling out paperwork and [focus on] actually keeping us safe,” Hysen said. “I’ve seen and want to do more to take opportunities that the components are surfacing themselves and provide the right forms for cross-department collaboration so we can break down some of these systems for sharing data, processes.”
A successful strategy for doing good at DHS starts with being a servant leader, he added.
“What I saw in my prior work was, the way for someone in my role to be most effective is to be a servant leader and understand what our components need and how we can accelerate that work,” he said.
While at USCIS, Hysen said former DHS CIO Luke McCormick held biweekly meetings with the USCIS CIO and senior leadership around an issue that had received a lot of negative press and “bad GAO reports.”
“His approach was: I trust you, you know what's best for your work, I'm here to get things out of your way and help solve problems for you,” Hysen said. “That really struck me and that's a mindset I've tried to bring into my work as well. [I really want to use] IT as a critical tool to support the mission, whether that is processing at our southern border or enabling us to better support a surge in travel, or strengthening our information-sharing efforts with state and local law enforcement as we seek to counter domestic violent extremism.”