Cybersecurity experts stressed this week that Federal agencies must keep stay focused on future threats and on moving toward adoption of zero trust security concepts, although they acknowledged that the latter tasks is “easier said than done.”
During a GovernmentCIO event on March 31, Katie Arrington, CISO for acquisition and sustainment at the Department of Defense (DoD), and Will Loomis, supply chain cybersecurity lead at the Atlantic Council, spoke at length on the importance of resiliency, risk reduction, and supply chain security.
In terms of what recent large-scale cyberattacks mean for the cloud security supply chain, Loomis explained that the United States’ “enemies are looking to maximize the blast radius of their operations.” They want to exploit high-level, large-scale administrator or security tool software with significant levels of permissions, he said.
“These systems provide great value for the enemy because of their ability, through compromise of the system, to get deep into networks on a massive scale, particularly within the environment,” Loomis explained. “The problem with these systems, [is that they are] a huge pool of risk and aren’t properly protected, or equally protected, for the amount of risk they provide.”
Arrington agreed, and said that while government must understand that nothing will ever be 100 percent secure, agencies should “do your ardent best from the get-go to ensure that whatever software [or cloud] you are using … should have risk reduction built in.” She also stressed that agencies need to move towards zero trust security.
Loomis built on the importance of zero trust, but reminded agencies that deploying zero trust isn’t something that will happen overnight. “There isn’t an ‘enable zero trust button’ on your desk you can smash that makes everything easy to put into effect.” Rather, he said, “it is a pretty complicated process and much easier said than done.”
Arrington touched on the need for information and threat sharing, both between agencies and with private sector partners. “It’s that thought process, that critical thinking, that we need to start embedding,” she said. “Threat and risk will continually evolve – adversaries will continue to evolve and change.” Information share, she said, will help the government stay ahead of its adversaries.
Stressing the need for critical thinking, Arrington pivoted to discussing the Cybersecurity Maturity Model Certification (CMMC) program. She said, “the CMMC is not a checklist about compliance, it is about critical thinking about cybersecurity.”
Regarding both CMMC and FedRAMP, she said IT teams must ensure their cloud service providers (CSPs) comply with regulations. She said IT teams need to bring conversations about the importance of compliance to their C-Suite, find out what certifications the CSP provider has, and make sure they are current and update to date. She stressed that these should be top-level conversations, because “your business depends on it.”
Arrington added that agencies “tend to buy a Maserati and drive it like a Ford.” She said agencies tend to “buy by requirement” and end up getting additional features and capabilities in the software purchased. Agencies, she explained, should make sure they are using capabilities they’ve already purchased and avoid buying duplicative features.
Looking to the future, Arrington said that when it comes to CMMC, “a rising tide lifts all boats.” Agencies embracing CMMC, “raises the tide for the whole Federal government as it works towards the collective better.”
Loomis added that agencies need to keep their eyes forward. He said that agencies that focus on what threats have already surfaced and protecting themselves against those past threats, “puts [agencies] in a horrible position.” Rather, he said, “We need to look forward and make sure we are position for the next tier of threats and not the ones that came from the past.”
