Cybersecurity is the gift that keeps on giving, and 2023 promises to be as busy as ever for agencies and contractors across a range of cyber policy developments.
The White House Office of the National Cyber Director is expected to issue a new national cyber strategy within the next couple of months. Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said the strategy will likely map out a shift already underway toward more cybersecurity regulation.
“We’ve been working for about 23 years on a largely voluntary approach,” Montgomery said. “The way forward is going to require thinking about regulation.”
White House officials, like National Cyber Director Chris Inglis and Deputy National Security Advisor Anne Neuberger, have repeatedly pointed to the need for a baseline standard of cybersecurity across critical infrastructure sectors. And the Biden administration has already moved out on a sector-by-sector regulatory plan.
But officials are also focused on “harmonizing” a growing set of cybersecurity regulations. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said CISA’s forthcoming cyber incident reporting rule will take that issue into account.
“The thing that I’m most concerned about is harmonization in getting this rule right,” Easterly said Jan. 5 at CES 2023 in Las Vegas. “So that we can actually get valuable information — not noise, valuable information — that can keep the whole ecosystem safe, until technology companies can help us really drive down risk to the fundamental technology ecosystem we all depend on.”
Montgomery said the White House will also likely focus on rewriting Presidential Policy Directive 21, a Obama-era directive that lays out how agencies should oversee the security of the nation’s critical infrastructure sectors.
The revision could take into account whether new sectors, such as space systems or cloud service providers, should be designated critical infrastructure, Montgomery said. And it will also look at whether current sector risk management agencies have the resources and authorities to adequately oversee cybersecurity efforts in their respective sectors.
CISA oversight and FISMA reform
While CISA has enjoyed bipartisan support from lawmakers in recent years, Montgomery predicts the agency will also get an uptick of scrutiny this year as well with the Republican takeover of the House. Congress has consistently increased CISA’s budget over the past four years, and lawmakers will likely be looking for results and a long-term vision from the agency.
Already, House Republicans are pressing CISA on an overdue force structure assessment.
“I think it’s important for CISA to get that done and for there to be oversight,” Montgomery said.
Congress is also likely to renew a push for reforms to the Federal Information Security Modernization Act this year. Lawmakers saw a “real opportunity” to do so last year, but ultimately didn’t reach an agreement on sending legislation to the president’s desk.
The reforms proposed last year, however, are focused on both modernizing federal cybersecurity standards and updating cybersecurity responsibilities across federal government. Since FISMA passed in 2014, CISA was elevated to an independent agency with responsibilities for defending federal networks, while the White House Office of the National Cyber Director was just established in 2021.
Cyber workforce strategy
Following closely on the heels of the national cyber strategy is a new cyber workforce, training and education strategy. The initiative is also being led by the National Cyber Director’s office.
For federal agencies, the strategy is expected to help unify efforts to better recruit, develop and retain employees in cyber positions. White House officials have also pointed to the need to align disparate cybersecurity hiring and retention authorities across agencies.
Meanwhile, a group of agencies led by the Department of Veterans Affairs has proposed a new Special Salary Rate for IT hires. VA Chief Information Officer Kurt DelBene has said he expects the Office of Personnel Management will approve the new rate this month.
Zero trust and software security
Agencies are also moving to adopt a new cybersecurity architecture under the federal zero trust strategy released last January. Federal Chief Information Security Officer Chris DeRusha said the focus is now on implementation.
“We have a lot of policy out now,” DeRusha said on Ask the CIO. “And it’s really about the oversight, governance, getting these performance metrics right, ensuring that they’re giving us key insights, not just to how we’re doing, but when we’re not doing well, why? I call those key insight metrics.”
DeRusha said the zero trust strategy has allowed the Office of Management and Budget to do “strategy based budgeting” around how agencies’ budgets align to their zero trust implementation plans. He said to expect to see a topline zero trust funding number in the Biden administration’s forthcoming fiscal 2024 budget request.
“There is an actual assessment of how much the administration is investing in zero trust,” DeRusha said. “And that’s not easy to build, but it starts to get you this consistency in approach. You can move big things forward when you have that, because people can benchmark off of one another. They can leverage one another’s expertise. We’re using communities of practice approaches, building those out to kind of take all these shared experiences, and put them into some more formalized structure to help lift all these boats together around the different pieces that we put out.”
In September, OMB also published new secure software development memo to guide agencies’ use of third-party software. Industry has been paying close attention to new software security requirements, such as the use of Software Bills of Material.
DeRusha said there are plans to host a “listening session” with industry on software security requirements this year.
“Now that we got the memo out there, we want to have outlets for feedback to be agile and make adjustments,” DeRusha said.