“This is the modern-day arms race. We are constantly coming back against them.”
 — BRIAN HUSSEY VICE PRESIDENT FOR FEDERAL, SYMANTEC
 back inside the perimeter to access or change data in the on-site data center.
Challenges aplenty
Even agencies that are committed to adopting new cybersecurity tools and policies as called for in the White House’s IT modernization report face significant challenges.
Tight budgets, of course, remain a constant concern. And according to Hol- gate, the complexity of securing hybrid networks has blurred the lines between agencies’ network administrators and DevOps teams.
In a hybrid environment, he said, “re- sponsibility shifts significantly more to the DevOps team to be more responsible for security. They need to have the skills that enable them to do that well.”
NIST cybersecurity specialists say guidance from legislation such as the Federal Information Security Manage- ment Act and programs such as the Federal Risk and Authorization Manage-
ment Program are a big help.
“FISMA and FedRAMP provide frame-
works that we can work from,” Fowler said. He added that NIST had already begun screening web platforms and ser- vices, “so when FedRAMP rolled out, we were just thrilled that what we were do- ing was now being done by some other agency.”
At the same time, “FedRAMP is not going to get every tool that NIST wants, but we already have processes in place on how to deal with that so we are not lim- ited to just what is in FedRAMP,” he said.
Agency cybersecurity officials also say the multiple levels of security required in today’s computing environments and the plurality of tools involved at each level can be problematic. “Working to inte- grate them is always a challenge,” Schil- ler said. “There is complexity and there is cost. But I think the thing that our us- ers get most aggravated about is length of time to implement new technologies.”
Holgate said that is certainly true
of the suite of some 169,000 tools be- ing assembled by the Department of Homeland Security for the Continuous Diagnostics and Mitigation program. Al- though the tools are welcome, there are shortcomings in integration and interop- erability, he added. And in some cases, the tool development is not keeping pace with changes in technology.
In fact, according to a DHS official, al- though the CDM program has always fo- cused on moving from protecting data in on-premises networks to protecting data wherever it is located, those data-centric tools are part of Phase 4 of CDM, which is still in the planning stages.
In the meantime, agencies must do the best they can with the best tools available. “This is the modern-day arms race,” Hussey said. “It’s a multibillion-dollar criminal enterprise that we are fighting, and they are constantly coming up with new and innovative ways to penetrate the networks. We are constantly coming
back against them.” •
GCN FEBRUARY/MARCH 2018 • GCN.COM 39