FCWPerspectives
Next steps on the Cyber EO
With zero trust as a stated goal, agencies are mapping their strategies — and funding plans
The May 12 Executive Order on Improving the Nation’s Cybersecurity tasked agencies with an ambitious to-do list; one White House official said it represents a “fundamental shift in our mindset” from incident response to prevention. Equally important, the American Rescue Plan Act’s $1 billion infusion for the Technology Modernization Fund means there is a plausible way to pay for some of those efforts.
FCW recently gathered a group of federal IT leaders
to explore what those developments mean in practice — where agencies are focusing their near-term efforts, how existing security programs can adapt and when new investments may be needed. The discussion was on the record but not for individual attribution (see page 94 for full list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
A welcome forcing function
Most participants praised the executive order; several said it validated argu- ments they’d been making inside their agencies for years.
“You really need to look at using it as a forcing function to get after some of these things that departments and agencies have been told to do for close to a decade in some cases,” one chief information security officer said. “Things like multifactor authentica- tion and encryption — those things just should have been done a long time ago.”
“We’re looking at it as an opportuni- ty to step back, clean up some things that should have been pushed over the finish line a long time ago,” another official said. “And then looking for ways to set conditions to really take zero trust architecture seriously, and really develop an achievable plan.”
A third participant pointed to the push for cloud-based computing and aa cloud-based security model, call- ing them “pivotal points” that “will impact the federal landscape for years to come.”
Another official, who said their agency had been somewhat reluctant to rethink its cybersecurity models, called the order “an all-out charge to permanently change and shift the way we’re doing business.”
There were cautionary comments as well, though. One participant point- ed to “a challenging environment where a lot of our systems and work is done on the classified side.”
“I know the EO would like us to get there overnight,” that official said, “but the reality is it’s going to take a very long time.”
Next step: zero trust
Over the course of a 90-minute discus- sion, the group touched a wide range of tactics the executive order calls for — everything from software supply chain security and improved logging to standardized contract clauses that spell out vendors’ security obligations. Again and again, however, the con- versation returned to zero trust as a cornerstone for future security.
“We’ve experienced pretty serious events over the past six months,” one official noted. “And I think what we’re all seeing is, it is demonstrating that we need a new paradigm to address those risks. And I think to most of us zero trust is a pretty good framework that describes what we need to do.”
Multiple participants said their agencies had been talking about zero trust for some time, but now were moving quickly toward actual imple- mentation.
“It’s accelerating things,” one offi-
92 August 2021 FCW.COM