Homeland Committee evaluates federal cybersecurity governance, as Goldstein outlines CISA’s future role

The U.S. Homeland Security Committee on Cybersecurity and Infrastructure Protection conducted a hearing on Wednesday to gauge the effectiveness of federal cybersecurity governance and initiatives, with a specific focus on the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD). While federal agencies bear the responsibility of managing their own risks, CISA plays a pivotal role in addressing the most pressing cyber risks faced by the federal enterprise. To achieve this, the agency relies on accurate and timely data to drive progress and advocates for a proactive and comprehensive approach to cybersecurity.

The hearing focused on assessing federal cybersecurity governance. The witnesses at the hearing were Eric Goldstein, CISA’s executive assistant director, cybersecurity division, and Chris DeRusha, federal chief information security officer at the Office of Management and Budget and deputy National Cyber Director for Federal Cyber, ONCD. 

“Our nation is increasingly facing elusive threat actor tactics in cyberspace, so Congress must ensure the federal government has the innovative tools, clear objectives, and interagency partnerships needed to combat those evolving threats,” Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, said in a recent statement. “CISA has a broad and important operational role in ensuring cybersecurity resilience across federal networks, and ONCD is a key leader in developing cyber policy and implementing the National Cybersecurity Strategy. Next week, this Subcommittee will examine ways to ensure these Federal partners succeed in their missions at a time when we need it most.”

In his testimony, Goldstein wrote that “for the first time, we have real-time visibility into vulnerabilities and misconfigurations across 102 agencies, allowing timely remediation before intrusions occur – including directing the remediation of over 12 million Known Exploited Vulnerabilities (KEV) over the past two years. We have deployed EDR tools across 52 agencies, allowing our analysts to actively hunt for intrusions and enable eviction before adversaries are able to cause harm.” 

“We have provided new shared services that measurably reduce risks, including by blocking millions of communications with malicious websites and enabling researchers to find over 1,000 vulnerabilities in federal websites before they are exploited by adversaries,” Goldstein disclosed. “We have issued directives that have fundamentally transformed how federal agencies prioritize and fix vulnerabilities, continuously monitor for security risks, and harden frequently exploited technology assets. 

Goldstein said that the CISA has “taken proactive steps to transform vulnerability management by publishing our Industrial Control Systems (ICS), Operational Technology (OT), and Medical Device vulnerability disclosure information in the Common Security Advisory Framework (CSAF), a machine-readable format that enables greater automation and better tooling across the vulnerability management ecosystem.”

He added that the CISA launched a Federal Zero Trust Management Community of Practice (CoP), which now has over 130 members and 31 unique agencies including the 23 civilian CFO Act agencies and eight critical small agencies. The CoP has advanced interagency Zero Trust collaboration, increased agency expertise, and readiness, and built a community of value for federal partners.

He added that CISA provides a common baseline of security across the federal civilian executive branch (FCEB) agencies while defending and securing the federal enterprise through proactive, collaborative cyber defense and risk management. “While agencies remain ultimately accountable for their own risk, CISA is responsible for ensuring that the most significant cyber risks to the federal enterprise – the network of all federal systems – are being addressed effectively and driving progress based upon accurate and timely data.”

As part of this mission, Goldstein wrote that “we serve as the lead for federal cybersecurity shared services. We have learned that many cybersecurity capabilities can be provided more effectively, affordably, and in a scalable manner through a centralized model rather than having over 100 individual FCEB agencies manage cybersecurity risk independently.”

He detailed that CISA’s work starts by making it harder for adversaries to exploit FCEB networks. The Continuous Diagnostics and Mitigation (CDM) program is crucial in providing real-time visibility into risks affecting federal agencies to reduce risks promptly. In the past three years, the CDM program has grown in scope, scale, and impact on federal cybersecurity. 

“Previously, FCEB operators and CISA counterparts lacked operational visibility, making it difficult to mitigate risks before a breach,” Goldstein said. “Now, thanks to the CDM program, agencies and CISA can respond to cyber threats in a coordinated and expedited manner by sharing data between dedicated CDM Agency Dashboards and CISA’s CDM Federal Dashboard. This information sharing has greatly enhanced CISA’s operational visibility throughout the FCEB.” 

Goldstein highlighted that effectively securing the FCEB requires coordinated action to address urgent risks. “While our Directive authorities have proven highly beneficial in emergency situations, we have derived even greater value in mandating common steps to mature key cybersecurity capabilities that yield enduring benefit. CISA works in consultation with NIST and in conjunction with OMB and FCEB agencies to develop these Directives, and this collaboration has proven invaluable to managing cyber incidents and driving collective action.”

CISA is prioritizing the development of additional directives to address operational risk and drive action to reduce the overall attack surface and ensure better coordination across the federal enterprise, Goldstein revealed. “In FY24, CISA is focused on directive requirements to improve threat detection, incident response, and secure cloud management. Furthermore, CISA plans to address gaps and redundancies in legacy directives as a part of a broader strategic approach.” 

Going forward, he added that CISA will remain committed to analyzing ways to leverage its Directive Authority to address foundational cybersecurity challenges and reduce the likelihood of a future cybersecurity incident. 

Goldstein also pointed out that the CISA’s Joint Cyber Defense Collaborative (JCDC) continues to cultivate multi-directional information sharing, operational collaboration, and strong working relationships with members of the FCEB to counter persistent, emerging cyber threats and comprehensively strengthen the evolving federal cyber domain. 

He said that to further drive focused and impactful information exchange and joint collaborative action, CISA also established critically important communications pathways through Slack, including channels built around FCEB cybersecurity news, FCEB indicators of interest, cybersecurity vulnerabilities impacting the FCEB, a channel-specific to agency CISOs, and a dedicated channel for micro agencies.

Goldstein identified that a strong operational lead agency is essential for the rapid identification and mitigation of near-term urgent threats and vulnerabilities as well as ensuring a consistent baseline for long-term capability investments and risk management decisions. 

To achieve this vision, CISA is focused on defining and strengthening its role as the operational lead for federal cybersecurity, including improving collaboration across the FCEB, providing collaboration tools, facilitating information exchange, and planning for risk reduction. The agency will strengthen its role as a shared service provider to address gaps in security capabilities and will improve operational visibility across FCEB agencies through programs like CDM to address potential intrusions and drive remediation. It will also work with Congress, OMB, and ONCD to optimize operational visibility. 

The agency will also promote modern security practices like zero trust principles and secure cloud implementations, and collaborate with OMB and ONCD to align agencies’ plans with operational needs and incorporate cybersecurity requirements into contracts. It will enhance its ability to provide hands-on support to agencies through Federal Enterprise Improvement Teams, helping them implement zero-trust architectures and directives. It will also defend the FCEB enterprise as a cohesive organization, where agencies maintain responsibility for their systems while centralized investments address cross-agency risks.

Goldstein concluded that the agency will continue to take swift action to make the FCEB a hard target for its adversaries. “This work will continue to take investment – in technology, in people, in partnerships. The past several years have shown the progress we can make with the support of Congress and our inter-agency partners while leveraging insights and expertise from industry. Now is the time for us to take the next steps forward – and we must take them together,” he added. 

Last week, the CISA announced the next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). The NCIRP 2024 will address changes by incorporating lessons learned and feedback from stakeholders since the 2016 release, ensuring that the updated NCIRP is fully inclusive across non-federal stakeholders, and establishing a foundation for continued improvement of the nation’s response to significant cyber incidents.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.