The cybersecurity executive order charges federal agencies to manage risk across the U.S. government as a whole, holds agency heads personally responsible for the protection of their networks and places modernization efforts at the forefront of a greater push to bolster computer security. The order requires all departments and agencies to review the security of their IT systems using the risk management principle outlined in the National Institute of Standards and Technology’s Cybersecurity Framework.
How that framework applies to each unique agency is a challenge, one exacerbated by the fact that reports on agency IT systems are to be completed in a few weeks. Cisco Systems has a wealth of expertise when it comes to aligning enterprises with the framework. Two of Cisco’s experts — Senior Director of Security Sales Will Ash and Public Sector Cybersecurity Specialist Steve Caimi — spoke with CyberScoop on how agencies can adapt their particular systems to the framework.
CyberScoop: So the Cybersecurity Executive Order makes a lot of references to the NIST framework. Yet that framework is just that: A framework — as opposed to hard and fast rules — for how agencies should manage cybersecurity risk. What’s the most important thing when it comes to applying the NIST framework that enterprises can apply to their unique networks?
Steve Caimi: One of the things that really strikes me, when I look at the executive order, is the focus on managing risk efficiently and effectively. But to your point, each agency faces a different risk profile. That’s exactly why the cybersecurity framework is powerful. Adopting the cybersecurity framework in a federal agency means going through it, developing a current profile, and understanding that agency’s risk.
Then, the second part of that is going and developing the target profile to figure out where the investment needs to be made. Because the cybersecurity framework is so simple — identify, protect, detect, respond, recover — those are the aspects of the things that align in terms of the things you need to do before, during, and after an attack.
I was very encouraged that the Trump administration actually took some of the feedback from the Council on Enhancing National Cybersecurity, the commission that President Obama put in place about a year ago. This was one of the recommendations: “Hey, does the cybersecurity framework make federal agencies develop a plan? Does that make sense?”
CyberScoop: Risk posture is such a big deal when it comes to this framework. What’s the most important thing for people to remember when it comes to assessing risk posture?
SC: It’s very, very important to understand not only what risks agencies face, but also what is the appropriate action to take.
The executive order wants agencies to understand “What risks have we accepted?” They don’t have to do everything about every risk, sometimes the agency has compensating controls. Sometimes, there are risks that aren’t that big of a deal for a given federal agency.
So it’s understanding your own risk tolerance and making the acceptance choices. Do we choose to accept the risk? Do we reject it? Do we do something about it, do we mitigate? That risk mindset is so critical in my opinion.
That’s why I’m really encouraged to see this kind of terminology in the executive order. That really picks up on what former Federal CIO Tony Scott and former Federal CISO Greg Touhill instilled in the agency head’s minds: this idea, let’s take a risk based approach. Focus our investment on things that matter the most.
The fundamental question is how can a federal agency dial its risk down to an acceptable level. I think that’s the whole point of these plans that are due within 90 days.
CyberScoop: When it comes to crafting that strategy and assessing that risk, there seems to be a focus on people and process controls. Can you tell me why that is so important?
SC: Technology alone is never going to be 100 percent of the answer. The real mission of what we’re trying to accomplish is effectively managing cybersecurity by making sure that technology works in concert with people and process.
One of the things that strikes us when we look at the cybersecurity framework and try to match technologies to it, is that it really only covers about half of the framework. When you look through the “identify” function, one of the whole categories is on risk management strategy. There’s no technology that satisfies that category.
Another one is “end user awareness and training” in the “protect” function. Yes, there’s learning management systems, but you’re not going to throw technology at that. Same for “incident response planning” and that “response” process. There’s no technology that takes the place of an incident response plan. It’s making sure people know what they need to do.
Will Ash: I think a lot of the bottlenecks that are encountered in today’s cybersecurity environment are really around the people and process areas. Even the most sophisticated and well-designed technology really can’t live up to the potential talent shortages or a lack of talent.
CyberScoop: Let’s talk about automation and workforce: A big challenge for agencies is finding the manpower to cover all of their bases when it comes to cybersecurity. What can agencies do to make sure they cover the framework despite the lack of manpower?
WA: If we looked at a fully integrated security architecture, if it’s simple to deploy, if it’s simple to scale across these large agencies, and it’s simple to manage, all three of those place less of a need on the manpower. So if that piece is there, less burden is placed on the people area.
If we move over to the open architecture, if there’s a security architecture or a risk architecture where all of the key parts are able to integrate with one another and talk openly and share information with each other, that again reduces the need for manual intervention. That is a great segue to the automated piece. If that is able to happen on an automated basis, without manual intervention, it allows for a much more effective security posture which requires less in the form of people or cyber talent.
SC: Another big aspect is to make sure that the humans that we have in our federal agencies protecting these networks are focused on higher value activities. Making sure we can actually integrate solutions, and let the analysis take place, and actually present the most meaningful information for the analysts. We’re sifting out a lot of the noise.
CyberScoop: Agencies are starting to find their footing when it comes to hybrid cloud or hybrid network architecture. What should agencies be doing to integrate the framework and make sure that it applies to the balance that they’re applying between on-prem and off-premise networks and they’re still meeting the framework recommendations?
WA: You make a good distinction of the environments the agencies are facing right now. The reason they’re making those decisions on how to employ their IT is based on what their mission is and how it’s best served.
So let’s take a step back and apply everything we already talked about, which is well framed by the cybersecurity framework, and look at the environment from one end to the other. As you look at that end-to-end, and the way you described it, you’re going to span the traditional on-prem IT infrastructure. And in that end-to-end continuum, you’re going to venture into the cloud. So if you can have a holistic integrated architecture that spans that entire continuum, which by the way was developed again for the mission of the agency, and has architecture that can integrate across those boundaries seamlessly, that’s incredibly effective and important as agencies look at their risk assessment strategy.
CyberScoop: Is this EO a wake-up call to the agency heads that they finally need to pay attention to what the IT shop is saying? Is this EO a good push to bring the leadership in so they finally are paying attention more than they ever have before?
WA: I think that it will serve as a push. I think the other interesting part, however, is this will enable agency heads and agency leadership to specifically get involved with how critical managing cybersecurity risk is in accomplishing the agency’s mission. Before, that may have been assumed. But the agency heads now recognize, they’re focused on the mission, that to the extent now they can become personally involved and accountable for the enabling part that cyber security plays in that mission. I think that’s another tremendous benefit of calling out the accountability of the agency head.
SC: We’ve been analyzing the cybersecurity framework and really all of these best practices for quite some time. So we at Cisco have actually put our cybersecurity products and services in the context of the NIST Cybersecurity Framework. But in part because an agency who picks up and actually acts on this executive order and once they’ve developed their target profile, they can come to Cisco and say, “Hey, can you help us with this?” And the answer is yes. We’ve already put our whole cyber portfolio in the context of the NIST Cybersecurity Framework and many other best practices to make this conversation extremely easy to have.
At Cisco, our mission is to help agencies efficiently and effectively manage their cyber risks, and we’re ready to help them take action on the Cyber Executive Order today.
You can find out more about Cisco’s risk-based approach on its website.