As modernization continues to sweep across the entire federal government, all agencies are experiencing an influx of new data and information that are becoming juicy targets for hackers to get their hands on. This is unfortunate timing, as cyber attackers continue to discover new ways of penetrating and exploiting federal government networks, forcing agency CIOs and IT teams to consider how they can bolster and protect agency applications and software from being vulnerable and exploited.
In response to this growing threat to federal agency applications, software, and overall IT infrastructure, advisory agencies such as the National Institute of Standards and Technology (NIST) and the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have been releasing and providing guidance, information, and other documents to federal government agencies on how to properly secure and bolster security around their software development strategies and their supply chain risk management practices.
In November 2022, Red Hat held its annual Government Symposium where experts from across the country convened to discuss and examine how government and industry leaders can work together to build cyber resiliency, automate IT operations, and enable insights and opportunities to leverage data science throughout the federal government.
During one session at the symposium moderated by Red Hat’s John Dvorak entitled, “Stacking the Odds – Using a Multi-Layered Defense Against Cyber Attacks,” senior government IT and cybersecurity leaders came together for a fireside chat. The participants included:
- Kenneth Bailey, Section Chief for Capabilities, Data, and Integration at Cybersecurity and Infrastructure Security Agency (CISA)
- Jon Boyens, Deputy Chief of the Computer Security Division within the Department of Commerce’s National Institute of Standards and Technology (NIST)
- Sandra Lopez, CIO for Enterprise and Cyber Solutions Operations at Leidos
During their discussion, these experts explained how agencies could leverage federal guidance and resources to bolster their software development cybersecurity strategies, and examine what it will take for the federal government to build resiliency throughout its IT infrastructures.
Leveraging federal guidance
This past May, NIST released its first revision to SP 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organization,” as well as Version 1.1 of its “Secure Software Development Framework” publication. Dvorak kicked off the panel discussion by asking how government agencies can utilize and implement these documents to better defend against cyberattacks.
Boyens explained that one of the major impacts these two documents have on government agencies is that they provide guidance on how to move “left of center” and really examine how software is being developed. These two documents also have strong ties to Executive Order (EO) 14028, which was released in response to the infamous SolarWinds hack.
“We are doing all the automation that we can to ensure that when you call us, you are not waiting… but getting you the same data that our analysts have on the back end, so that you and I are talking about the same things and that there isn’t some barrier between the secret sauce that I’m looking at and stuff that you should have access to.” – Kenneth Bailey
Both the EO and the NIST documents focus heavily on government agencies’ software security supply chains. Specifically, for the SSDF, Boyens explained that the framework is structured and can be leveraged in a way that any type of organization can replicate and implement it.
Securing federal software development
But before government agencies can begin implementing such software development frameworks, what are the preparations and prerequisite steps agencies must take first?
According to Boyens, “One of the beauties about the frameworks is they are workable for all types of maturity of an organization. If you’re a very mature organization, and you’re already using a lot of secure software development practices, it’s plug and play…If you’re new, it refers to different standards that can help you get going for the ‘“prepare”’ stage…It’s a piece of the framework where an organization looks at its different policies, it looks at the infrastructure that the software is going to be developed in, looks at roles and responsibilities, it looks at how it’s going to incorporate third-party components. It’s really an iterative process.”
CISA’s here to help
Dvorak then turned the conversation to the CISA, and how the agency is evolving its approach to protecting federal critical infrastructure through government-wide programs.
According to Ken Bailey, “There’s two really big drivers when it comes to what CISA is trying to do.” The first is properly dispersing cybersecurity throughout the federal government. “DHS, CISA, and the federal government have not been great at spreading the wealth and getting information out to the agencies quickly,” said Bailey. “So, CISA has been making a lot of effort to pull our intelligence and push it out to the end-users and realizing that through other programs, like Continuous Diagnostics and Mitigation (CDM).”
“DHS, CISA, and the federal government have not been great at spreading the wealth and getting information out to the agencies quickly. So, CISA has been making a lot of effort to pull our intelligence and push it out to the end-users and realizing that through other programs, like Continuous Diagnostics and Mitigation (CDM).” – Kenneth Bailey
Bailey explained that the best way to implement a layered approach to cyber defense is to give government agencies more information. One of the main roadblocks to getting this critical information to agencies is speed. “The longer it takes for us to do these things… the harder it’s on you…We are doing all the automation that we can to ensure that when you call us, you are not waiting… but getting you the same data that our analysts have on the back end, so that you and I are talking about the same things and that there isn’t some barrier between the secret sauce that I’m looking at and stuff that you should have access to.”
Deploying the architecture
As for CISA’s cybersecurity architecture itself, Bailey explained that CISA is looking to speed up the turnaround time for full architecture deployment to other government agencies.“The traditional kit that we deploy is four very large Pelican cases full of equipment. And it requires a freight shipment to arrive on-site…Anybody that’s involved with government procurement knows that I cannot procure freight very quickly,” explained Bailey. To speed up this process, Bailey explained that CISA has been working on leveraging the cloud to take parts of the kit that don’t really need to be on location, and simply deploy sensors instead.
“We can stream back to either the network I run in Virginia or into one of our cloud environments,” said Bailey. “It’s ‘How do I get that entire system pushed towards ensuring that the analysts have access to all the tools they need and all the data they need without a huge burden or time delay for the customer?’” According to Bailey, CISA has been leveraging things like Red Hat’s OpenShift for automating the deployment of kits sooner rather than later.
To watch this Red Hat Government Symposium session in its entirety, click HERE.