Dive Brief:
- Federal agencies have made “tremendous progress” toward implementing cybersecurity upgrades mandated in President Joe Biden’s 2021 executive order, according to House testimony from Christopher DeRusha, the deputy national cyber director for federal cybersecurity and federal CISO.
- The federal government is rolling out commercial-grade endpoint detection and response (EDR) capabilities to 26 government agencies, according to testimony from Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. Deployment should reach 53 agencies by the end of the fiscal year, Goldstein said.
- CISA, working with partner agencies, has added new contract language requiring federal contractors to share threat information. The agency also worked with the National Institute of Standards and Technology (NIST) to develop an inventory of critical software, and place strict development and security controls on software providers, according to written testimony from Goldstein.
Dive Insight:
DeRusha and Goldstein were part of a hearing Tuesday before the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, chaired by Rep. Yvette Clarke, D-NY.
The hearing took place a little more than a year after President Biden signed the executive order (EO) to bolster U.S. cybersecurity in the wake of the Russia-linked supply chain attack on SolarWinds in 2020, the March 2021 Microsoft Exchange Server attack linked to China and the May 2021 ransomware attack on Colonial Pipeline.
The SolarWinds attack exposed many of the inherent weaknesses of the U.S. IT infrastructure and cyber defense capabilities. The state-linked threat actor, dubbed Nobelium by Microsoft, lingered in the IT systems of key U.S. government agencies and major private sector technology companies for months, before it was detected by FireEye Mandiant.
“The bottom line here is we can no longer rely on the outdated, perimeter-based approach – or digital walls – that we’ve used to keep sophisticated actors from gaining unauthorized access to our systems,” DeRusha said.
CISA has gained more visibility into the security of federal agencies through improvements made to its Continuous Diagnostics and Mitigation (CDM) program. The agency updated the CDM system with a dashboard, which provides detailed information on vulnerabilities, configuration flaws and asset status across 65 federal agencies, according to written testimony from Goldstein.
Officials stressed a great deal more investment is needed to modernize government IT systems and additional steps are being taken to implement multi-factor authentication and secure an increasingly mobile federal workforce.
Katell Thielemann, VP analyst, security and risk management at Gartner, said the EO represents the start of a long journey for the Biden administration, but additional work still remains to get the government and private sector to be truly able to combat modern state-sponsored adversaries.
“As progress is made it should help agencies improve their risk profile,” Thielemann said, “but the threat landscape keeps evolving.”
