Gen. Timothy Haugh, in his first public remarks since taking over as head of CYBERCOM and the National Security Agency in early February, said the force generation study is due to the secretary of defense this summer.

CYBERCOM has traditionally relied on the military services to train cyber warriors for the Cyber Mission Force. With that leading to readiness issues, officials have also looked to adopt more of a U.S. Special Operations-command type model. And some have called on the Defense Department to establish an independent cyber force.

“We’re doing a study right now that will evaluate, and we brought in an outside think tank to help us look at this, what are the spectrum of options?” Haugh said at the CYBERCOM Legal Conference today. “There are also a number of things in between there that we should consider, and also whether or not any of that menu should be applied together. So we’re evaluating that.”

Last year, Congress tasked CYBERCOM with evaluating the readiness of the military services in their ability to provide forces to the command. Haugh said the study identified five specific things the services could improve upon.

“Most of those things were areas that had previously been tackled by SOCOM, as it looks at how the Special Operations Forces are managed,” Haugh said. “And it was around personnel policies. It was in how the services leverage tools that Congress had given for retention to each of the services, and it was about assignment policies.”

In the year since that study, Haugh said each of the services have taken individual actions to improve readiness. He pointed to the Army’s new incentive pay for cyber personnel; the Air Force’s new tech track pilot for extending an individual’s service in the cyber field; and the Navy’s new cyber rating, as well the Marine Corps’ new eight-year initial enrollment for a cyber officer.

“Those are all really good examples of something each service has done,” Haugh said. “We would like to see them all raise that floor farther.”

Retired Gen. Paul Nakasone, the former head of CYBERCOM and the NSA, said he wanted to see a “bold move forward” with what’s been dubbed CYBERCOM 2.0

The command is better positioned to control its future thanks to a new provision in law. The fiscal 2024 appropriations bill passed by Congress last month gave CYBERCOM new programming and budgeting authorities. Referred to as “enhanced budget control” by Haugh, the authorities gives the head of CYBERCOM direct control over the planning, programming, budgeting and execution of resources for the Cyber Mission Force.

“We now have the budget responsibility for equipping the offensive and defensive cyberspace force for the Department of Defense, that force that we operate,” Haugh said. “So now we have the ability to be able to validate a requirement under our authorities that we’ve been given. We can allocate the resources against whatever that need is. And then we will be able to acquire that under our own authorities, either inside U.S. Cyber Command or in partnership with the services, where we drive the requirement, we have the resources, and now we’re going to be able to produce the capability that we need for our forces. That’s a pretty radical change from where we started.”

Integral to the conversations around the future of CYBERCOM is a new assistant secretary of defense for cyber policy position announced by DoD last month. The job serves as the secretary of defense’s top advisor on matters related to military cyber force and activities.

Secretary of Defense Lloyd Austin nominated the Army’s principal cyber advisor, Michael Sulmeyer, to serve in the new role. While he awaits confirmation, Ashley Manning is serving as acting ASD for cyber policy.

Manning and Haugh are set to testify before the House Armed Services Committee’s cyber, information technology and innovation subcommittee on Wednesday.

“It’ll be our opportunity to talk about what we see this looking like,” Haugh said of the new partnership.

The post CYBERCOM considers options for future force generation model first appeared on Federal News Network.

These are the fourth and fifth awards since Jan. 1 and continues the board’s focus on cybersecurity and application modernization.

“It is our responsibility to protect high-priority systems and enable our federal workforce to deliver on their agency’s mission seamlessly and securely,” said Clare Martorana, federal chief information officer and TMF Board chairwoman in a release. “These TMF investments demonstrate the diversity and reach of the TMF in driving innovation and impact forward for the American public – from strengthening NASA spacecraft control to supporting injured and ill workers through DOL’s Office of Workers’ Compensation Programs.”

Labor’s award from the TMF of $42 million is among the larger investments over the last few years.

Labor’s Office of Workers’ Compensation Programs (OWCP) will use the money to accelerate the replacement of its outdated Integrated Federal Employee Compensation System (iFECS).

Currently iFECS is built on technology from 20 years ago and runs 98 different applications with what it calls “elaborate and archaic workflows,” according to the TMF website. “This adds significant friction to case management which can overwhelm claims examiners, delay processing and interrupt tasks.”

In fiscal 2023, the system provided services to more than 2.5 million workers, with over 200,000 new cases processed.

“This initiative aims to revolutionize services and benefits for injured and ill workers, making processes faster, more efficient, and less prone to cybersecurity, operational, and financial risk,” the release from the TMF Board stated. “TMF has allocated $42 million to support this endeavor and aims to overhaul iFECS by transitioning to a modern, cloud-based architecture and leveraging automation technologies. This shift promises to reduce claim adjudication times, enhance customer interactions and bolster data security, particularly crucial given the sensitive nature of federal employee health records and annual claims.”

Labor’s sixth TMF award since 2018

“IFECS services the entire federal government as the processor of all workers’ compensation claims filed by federal workers,” said Nancy Griswold, the deputy director of OWCP, in the release. “As such, improvements in iFECS that will allow for the faster processing of claims will have an impact not only on the claimants themselves, but also their federal employers, as studies have shown that faster payment of claims results in a faster return to work for many claimants.”

Labor’s first award came in 2018 and the department has won a total of more than $77.3 million from the TMF over the last six years.

NASA’s first award is for $5.8 million that will accelerate cybersecurity and operational upgrades to its network. The board said the money will be used for specific initiatives including automating network management, modernizing legacy infrastructure, standardizing network configurations across all NASA locations and collecting additional telemetry data to align with federal cybersecurity mandates.

“NASA’s IT infrastructure plays a critical role in every aspect of NASA’s mission, from enabling collaboration to controlling spacecraft to processing scientific data. Therefore, protecting and effectively evolving NASA’s information technology infrastructure remains a top agency priority,” said Jeff Seaton, the NASA CIO, in the release. “This TMF funding will help the agency to accelerate critical cybersecurity and operational upgrades two years earlier than originally planned.”

NASA’s inspector general highlighted the space agency’s need for additional attention around cybersecurity in its August report on compliance with the Federal Information Security Modernization Act (FISMA).

Auditors said “NASA’s information security program and practices were not effective” in fiscal 2023. The IG made 27 recommendations across the five functional areas: identify, protect, detect, respond and recover. NASA’s overall maturity came in at 2.48 out of 5 for its maturity across the core FISMA metrics and 2.86 out of 5 across the 2023 supplemental metrics.

TMF board has less money in 2024

Along with the awards to Labor and NASA in calendar year 2024, the board made three investments in January worth $70 million for modernization projects at the Justice Department, the General Services Administration and the Armed Forces Retirement Home.

The board continues to allocate funding from the $1 billion it received in the American Rescue Plan Act in 2021. Since that appropriation, the board said it has used that funding to invest in now 43 projects.

It’s unclear how much of the $1 billion the TMF received from the American Rescue Plan Act remains. President Joe Biden’s fiscal 2025 budget request shows about $790 million left in the TMF that is unobligated for 2024, but that also includes money awarded to agencies, but not yet sent out the door.

But going forward, the board faces less available funding as the Senate in the 2024 appropriations rescinded $100 million from the ARPA windfall.

The post NASA, Labor receive extra funding for IT modernization first appeared on Federal News Network.

The following will be a summary of insights that are particularly pertinent for federal agencies, which face a unique set of challenges due to the nature and scale of their digital operations. In this dynamic cybersecurity landscape, learning from such incidents is crucial for adapting and enhancing security measures to protect against the sophisticated threats of the digital age.

The relevance of current cybersecurity policies and regulations to the attack

Federal agencies are bound by stringent cybersecurity regulations, notably Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in May 2021, this order mandates agencies to enhance cybersecurity and software supply chain integrity, adopt secure cloud services and zero-trust architecture, and deploy multifactor authentication and encryption within a specific timeframe​​. These requirements align closely with the vulnerabilities exposed in the Okta breach.

Furthermore, the federal government’s latest identity, credentialing and access management (ICAM) policy, as outlined in the OMB M-19-17 memorandum, sets forth comprehensive guidelines for managing, monitoring and securing access to protected resources. This policy emphasizes identity proofing, establishing enterprise digital identities, and adopting effective authentication and access control processes​​. These elements are crucial in preventing incidents like the Okta breach, where weaknesses in identity and access management were exploited.

The Okta breach analysis underscores the need for a shift in cybersecurity focus from traditional perimeter defense to identity-centric strategies. This shift is vital for federal agencies whose operations often span multiple networks and cloud environments. Understanding the attacker’s perspective is essential for federal agencies as they prioritize the security of identity management systems and adopt robust privileged access management (PAM) practices.

Key lessons from the Okta breach relevant to federal agencies

1. Identity is at the core of cybersecurity:

The breach reinforces the concept of identity as the new security perimeter. Federal agencies must ensure that identity management systems are robust and capable of thwarting similar exploits.

2. The importance of privileged access management:

PAM is essential to protecting sensitive information, assets and systems. Implementing strong PAM solutions is a key step for agencies to safeguard against vulnerabilities. The integration of PAM into federal cybersecurity strategies is not just about mitigating risks; it’s also about enabling secure and efficient operations. By balancing security with operational functionality, PAM solutions help federal agencies maintain a high level of agility and responsiveness, which is essential in today’s fast-paced, digitally driven world.

3. Agencies need to adapt to evolving cyber threats:

The breach exemplifies the dynamic nature of cyber threats. Federal agencies need to continuously update their cybersecurity strategies, incorporating lessons from incidents like the Okta breach into their protocols, staying informed about emerging threats, and integrating advanced technologies and methodologies. Incorporating lessons from incidents like the Okta breach is essential, ensuring that strategies remain effective against increasingly sophisticated attacks. It’s a continuous cycle of assessment, adaptation and enhancement, crucial for maintaining the security and integrity of federal digital infrastructure.

A defense-in-depth approach is critical

As threat actors focus more on exploiting identities, agencies need tools that can help provide visibility and control of identities and privileges, reduce risk, and detect threats. Good specific policies and internal controls are necessary, but PAM can help provide a defense-in-depth approach, where multiple layers of controls and identity security monitoring capabilities can help prevent the failure of a single control or process from resulting in a breach.

The Okta breach provides an opportunity for federal agencies to reassess and strengthen their cybersecurity posture. By aligning with federal regulations and adopting a proactive approach to identity security, agencies can significantly enhance their defense against sophisticated cyber threats. Implementing lessons learned from such breaches is a critical step in fortifying the digital infrastructure that underpins national security and public service delivery.

Josh Brodbent is regional vice president for public sector solutions engineering at BeyondTrust.

The post Leveraging lessons from the Okta breach to enhance federal cybersecurity first appeared on Federal News Network.

During this webinar, you will gain the unique perspective of top government cybersecurity experts:

• Sean Connelly, Federal Zero Trust Technical Architect, Cybersecurity and Infrastructure Security Agency
• Roy Luongo, CISO, US Secret Service, Department of Homeland Security
• Louis Eichenbaum, Zero Trust Program Manager, Department of the Interior
• Chris Roberts, Director, Federal Sales Engineering, Public Sector, Quest Software
• Steve Faehl, Federal Chief Technology Officer, Microsoft
• Wes Withrow, Senior Client Executive, Cybersecurity, Verizon
• Moderator: Luke McCormack, Host of the Federal Executive Forum

Panelists also will share lessons learned, challenges and solutions, and a vision for the future.

The post Federal Executive Forum Zero Trust Strategies in Government Progress and Best Practices 2024 first appeared on Federal News Network.

A newly proposed rule by the Cybersecurity and Infrastructure Security Agency, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours and to report ransom payments within 24 hours of making a payment. These new requirements would significantly lengthen the To-Do List of these entities. For analysis on what the impact could be, Federal News Network’s Eric White spoke to Beth Waller on the Federal Drive with Tom Temin, Principal at the law firm Woods Rogers Vandeventer Black.

Interview Transcript: 

Eric White So 1,000 foot view. What are the major changes here and what is going to be the impact on these critical sector entities?

Beth Waller I think 40,000 foot view. Everyone was expecting the director of CISA to come out with these proposed rules. The big earth shattering component of it is really the definition of covered entity who falls within the orbit of needing to report. And so really, the proposed rule really kind of breaks it into two different sections. We have really those who have to report based on their size, how large they are, and those that have to report based on their sector. I think most folks who are watching for this proposed rule were really expecting the sector side of the house. We weren’t really expecting the size side of the house. And so from a 40,000 foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.

Eric White Yeah. Is there anything in place to notify a company that, hey, by the way, this new rule, it applies to you.

Beth Waller I really think that CISA is going to need to do a good job of educating the public to let them know that, hey, you may fall within this, because again, when we look at the proposed definition of covered entity, for example, when it talks about size, it refers to an entity that exceeds the small business size standards specified by the applicable North American Industry Classification System Code and the US Small Business Administration Small Business Size regulations.

Eric White I read those yesterday.

Beth Waller That’s right. So if you look at those, as I think many of us did, went with bated breath to see, well, wait a minute. What does this mean? We start to see that, well, it really means anybody who has more than 500 employees and certain sectors, and with average annual receipts, over 7.5 million would qualify as somebody who would be needing to report. Now, there are certain exceptions by industry under the SBA regulations. But I think that really what is surprising for me, as somebody who really focuses in on critical infrastructure incident response, says, now we’re going to be really looking those SBA requirements and doing that math in the midst of an incident. And what I can’t really emphasize enough is the fact that we need to remember that this isn’t sitting at home twiddling your thumbs or the quiet of a Tuesday morning or whatever the case may be. You’re in the midst of a ransomware incident and your organization is down and you’ve been essentially taken hostage. And what you’re trying to do is within those first 72 hours, do this math and start figuring out, do I qualify, do I need to report? And so the proposed rule really focuses in on that size. Are we big enough to have to report and then the sector. And then of course sector, size doesn’t matter. It really is whether you fall within these different buckets. And the buckets are what you would somewhat expect. Nuclear reactors, energy, things like that. But then there are some areas that you might not expect, for example, in the health care and public health sector, for example, the proposed rules says that those that operate a hospital with 100 or more beds or are critical access hospitals. Well guess what, you’re dragged into that dragnet. So if I’m a small hospital in a rural location, I might not have 100 beds, but I might be considered critical access, and I would therefore be obligated to report a ransomware incident within 72 hours of finding it out.

Beth Waller Similarly, you have information technology, any entity that provides IT software, hardware, system or services to the federal government. So if you’re a teeny tiny software company, but you provide or have a contract with the federal government, well guess what, you’re grabbed into this. Similarly, if you are considered an original equipment manufacturer or a vendor or integrator of OT hardware, that’s operational technology, hardware or software, or those that perform functions related to DNS operations, guess what? You’re grabbed in. So again, you have some things that are kind of what you would expect chemical facilities, water, wastewater treatment systems, transportation systems. But then you have some unusual things including communications. So for example, wire radio communication services. So if FNN had an incident, you’d be doing that kind of analysis as to whether or not you needed to report within 72 hours as well. The other little tidbit I would say is that it’s not cut and dry the way the proposed rule is set up. I really think of it like it’s going to be a flow chart or a choose your own adventure type situation, because even with water and wastewater systems, for example, it breaks it down to say, is it a community water system? Publicly owned treatment works that serve more than 3,300 people? Well, that’s a random number to be trying to remember in the middle of an incident response do I qualify? Do I not qualify? Similarly with education. You’re looking at populations of 50,000 or more. We’re in the education sector. More than a thousand students. Or any institute of higher education that receives funding under title nine. And then finally, folks like the defense industrial based sector. Many of those folks, again, many of my clients in that space are very used to doing reporting to the DoD. Well guess what, that doesn’t necessarily get us out of jail free. We may also be having to do the same kind of report to CISA. And so those are the big kind of surprises in some ways, is that the sector really start getting into a lot of nuance and detail. And then of course, that size component. And again, if you qualify under one bucket, you’re just in. So if you got more than 500 employees and you’re manufacturing space, it doesn’t matter that you’re in the defense industrial base sector, you’re going to be in regardless. And so I think that a lot of folks are going to be gobbled up by this, because CISA wants as much information as possible to start really looking at these trends nationally of the types of incidents so that we as a nation are facing.

Eric White We’re speaking with Beth Waller, who is a cybersecurity attorney at Woods Rogers Vandeventer Black. And so it’s the people on that one end of the spectrum that the smaller entities that you mentioned. How big of a burden is this actually going to be on them? I imagine that for the bigger folks that are used to this, they’ve got maybe a whole team that’s assigned just to making sure they’re compliant. But there are probably some folks in rural hospitals who have never even heard of this process.

Beth Waller That’s right. And I really think that for those of us, again, I’m a cybersecurity data privacy attorney. And what I do is respond to these types of incidents and get signed in to these types of incidents. I think it’s going to really fall a lot on the legal profession to try to educate folks. Those of us that are called in to do breach response work, number one. But I would also say, I would argue that it’s not just onerous on the small businesses. It’s going to be really a huge task for the big businesses. And I would say that because the report itself is very detailed, it’s more detailed than the report that I would be giving, for example, if I was just in the defense industrial sector under the DFARS 7012,  filing on the DIDNet, those types of things. We’re used to doing that in this space. The report to CISA requires us to identify the covered entity. So the entity making the report. But in order to do that, what CISA is proposing is that I need to know the state of incorporation, trade names, legal names, the DUN number, tax ID, the EPA numbers, all this kind of stuff. Again, I go back to, think about what we’re in the midst of. We’re in the midst of a ransomware incident, highly unlikely that I have access to my work device. And so those first 72 hours, I can guarantee you you’re not getting access to a device that’s from your company. So you’re going to need to be able to pull this information together rapidly. It’s one thing if I’m a smaller defense contractor or a smaller contractor, to be able to know my state of incorporation. It’s another thing if I’m a mega corporation and I’ve made up a bunch of different LLCs or a bunch of different entities, or I have trade names, those types of issues. Pulling that kind of information together can be very challenging. And so I would argue that it’s going to be a burden to almost any entity that is going to be reporting to try to pull these things together.

Beth Waller In addition to that, the type of information about the incident that CISA is requesting, again, from somebody who has experienced an incident response, what they want to know within the first 72 hours is pretty broad. So, for example, they want a description of the covered incident with identification of affected information systems, including the physical locations of the impacted systems, networks and or devices. If I am a mega company, for example, and I have, 50,000 employees across the United States talking about the physical location of those impacted systems or networks. If I’m a manufacturer, it could be quite challenging in the midst of that first 72 hours, keeping in mind that the people who are needing to answer this are also potentially two people trying to come back online, getting things together, managing the incident response team. In addition to that, they want to know things like IOCs, which in the industry is indicators of compromise. They want to know the bad guys. What’s the telephone number, the IP address that they called from. They want to copy the malicious code and they want to know, for example, if you’re paying the ransom, which is another separate reporting requirement, they want to know exactly what your instructions were for payment of the ransom and things like that. I will say the good news is, thankfully there’s going to be a dropdown box for unknown at this time type answers given that this is the first 72 hours, but there is a requirement for supplemental reporting, and that supplemental reporting requires a report to be given every time there’s substantially new or different information becoming available. Again, if I’m in the midst of this incident, that is a very hefty burden to be thinking about.

Eric White Yeah, obviously this would be a substantial task order for, as you mentioned, somebody going through a cyber incident like this. But coming from CISA’s standpoint, this is pretty important information. A lot of people’s lives rely on these companies and obviously the critical infrastructure sector that runs the country basically. So, coming from them, why is this information so critical for an agency like CISA in the fight in ensuring that a lot of our big companies and critical infrastructure sectors are cyber secure.

Beth Waller Well, I think that what it does, it does create this dragnet of information to be able to really look at our adversaries and to be able to say, okay. Because a lot of times in the ransomware world, they have almost nonsense names. You’ve got Lockbit, Alphv/BackCat. You’ve got all royal, you’ve got, you know, all the different types of ransomware that are out there. And I tell folks, it’s kind of like their gangs, like off of The Sopranos or The Godfather movies. They’re just cyber gangs. And so being able to track the information of being able to say, okay, well, this is associated with this nation state or it’s not is really incredibly important to CISA. And again, as someone who is a federal partner in the midst of these incidents, because I do critical infrastructure incident reporting. So again, when you’re representing a state agency or a local government, you are already acting as a partner to your federal partners and providing information. So I think that there are big benefits to working with CISA and currently reporting to CISA as we do. But I think that with regards to the kind of nuances that are being asked for in this reporting, it’s going to create a lot of headaches. And keep in mind, many of these businesses are folks that are operating under multiple regimes. So for example, the financial sector is one of these that is considered critical infrastructure here. Well, if you’re already a bank, you’re reporting to the office of the Comptroller of the Treasury at the same time or reporting to CISA. If you are, for example, a manufacturer that is global, as many of our manufacturing Fortune 500 may be, you are also dealing with the laws in Europe. So GPR related laws, you’re also probably publicly traded. And so now you have the new Securities Exchange Commission rules and regulations about getting a notice out to your shareholders within four days of determining materiality. It’s really a very complex arena that CISA is coming into already from a regulatory standpoint.

Beth Waller I will say that the proposed rule says if CISA has an information sharing agreement in place with one of these other agencies that was receiving the report, that is potentially a get out of jail for a duplicate report filing, but it’s unclear at this time where CISA has that information sharing already. And I think that puts a lot of burden on the victim to try to figure that out. So hopefully Department of Defense, for example, creates an information sharing system with CISA where if you’re already again reporting to the DIDNet and going through that side of the process, you wouldn’t have to necessarily do it again here. Again, those clocks also start not on a Tuesday morning at 9:00 a.m. they often start at 1:00 am on Saturday morning whenever that network engineer figures us out. So a lot of times the folks that would be filling this out are not necessarily aware of it until, let’s say, 36 hours into an incident, depending on how large the organization is. So my argument would be to many businesses, look at your incident response plan. If these proposed rules come in to a final rule in the same manner that they’re currently looking at like right now, we’re going to want to make sure your incident response plan has a lot of this information gathered already, because, for example, maybe you could create something off line that says, this is our state of incorporation,  those types of things, so you’ve got that at the ready. Because again, keep in mind, most the time we’re dealing with something like ransomware where the entire network is encrypted. So how are we going to get at this information even if we wanted to, unless you just know it?

The post Facing cyber attacks, critical infrastructure gets new reporting requirements first appeared on Federal News Network.

• After a scorching report, one Senator wants to see the federal government overhaul its cybersecurity practices. Sen. Ron Wyden (D-Ore) on Monday released draft legislation to set minimum federal cyber standards for collaboration technologies, like Slack and Teams. Under the bill, the National Institute of Standards and Technology would establish interoperable standards for those technologies. The legislation would also require the use of end-to-end encryption. The bill comes after a Cyber Safety Review Board report blamed Microsoft's inadequate cybersecurity culture for multiple federal hacks. Wyden argued that interoperable standards would reduce the federal government's reliance on Microsoft.
  (Wyden releases draft legislation to end federal dependence on insecure, proprietary software in response to repeated damaging breaches of government systems - Sen. Ron Wyden (D-Ore.))
• Radha Plumb has officially assumed the role of the Defense Department’s Chief Digital and Artificial Intelligence Officer. Prior to her new role, Plumb served as the deputy under secretary of Defense for acquisition and sustainment. Deborah Rosenblum, the assistant secretary of Defense for nuclear, chemical and biological defense programs will take over Plumb’s previous role starting April 8. Plumb will replace Craig Martell, who became the Pentagon’s first permanent chief digital and artificial intelligence officer in 2022.
  (Plumb officially assumes CDAO role - Defense Department )
• Underutilized federal buildings could turn into affordable housing if a House bill makes it through Congress. The Government Facilities to Affordable Housing Conversion Act would require agencies to identify vacant and underutilized buildings that would be suitable for converting into residential use. The bill provides funding to study the effectiveness of converting office space into housing and also creates a grant program for state and local governments to undergo these conversion efforts. Reps. Adam Schiff (D-Calif.) and Jimmy Gomez (D-Calif.) are leading the bill.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Some new recommendations aim to kick-start federal shared services. In the five years since the Office of Management and Budget relaunched the federal shared services initiative, experts said progress has languished. The Shared Services Leadership Coalition (SSLC) said in a new report that agencies have not achieved any of the goals outlined in the 2019 memo and federal shared services remain resource starved. The good-government group outlined four legislative and regulatory policy recommendations to get agencies moving in the right direction. SSLC's recommendations include mandating shared services as a required business blueprint and creating a new Senate-confirmed position called, "The Commissioner of Government Operations" at the General Services Administration.
  (4 policy recommendations to kick-start shared services - Shared Services)
• The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is reminding employees of their whistleblower rights after being called out by a lawmaker. Sen. Chuck Grassley (R-Iowa) said an ATF memo, issued late last fall, chilled lawful whistleblowing. It warned employees against disclosing unclassified information without prior authorization. But it contained no references to lawful disclosures to Congress or federal watchdogs. After Grassley pressed the agency on the memo earlier this year, ATF recently issued an update with repeated references to the Whistleblower Protection Act and other disclosure rights.
  (Grassley successfully ensures ATF employees know their whistleblower rights - Sen. Chuck Grassley (R-Iowa))
• Over the next five years, the General Services Administration (GSA) will eliminate the use of PFAS, known as "forever chemicals," in the cleaning of federal buildings. GSA is requiring government contractors to purchase cleaning products that are free of the toxic chemicals. Instead, contractors will be required to use alternative products, certified to ecolabels such as EPA’s Safer Choice and certain Green Seal® certifications. GSA’s Public Building Service has more than 600 contracts for custodial services at more than 1,500 government-owned buildings at a cost of more than $400 million per year. GSA expects that most of these contracts will include the new and safer specifications within five years.
  (GSA, EPA team up to eliminate 'forever chemicals' from federal buildings - General Services Administration)
• James Lee, who led the IRS-Criminal Investigations office for the last three years and served 29 years in the federal government, retired on March 31. He has joined Chainalysis as its global head of capacity building. Lee said his initial focus will be helping international law enforcement agencies develop solutions against cryptocurrency-based crime. During his time at the IRS, Lee led IRS and federal law enforcement efforts to shut down Hydra, the world’s largest darknet market. He also conducted the largest crypto-seizure connected to terrorism financing and rescued 23 children and arrested 337 child abusers around the globe after taking down Welcome to Video, the world's largest distributor of child sexual abuse material.
  (Former IRS-Criminal Investigations chief lands new role in industry - Chailalysis)
• The office of the Air Force chief information officer just got a new director of the enterprise information technology directorate. Keith Hardiman will oversee the management, planning, governance and resource allocation for the department's information and cyber enterprise, which has a budget of nearly $7 billion. Prior to his new role, Hardiman served as the director of the Air Force's information management and chief information office, where he led the Air Force's declassification and publications distribution offices.
  (Air Force enterprise information technology directorate gets new director - USAF)
• Leaders of the Senate Veterans Affairs Committee are pushing for a higher cost-of-living increase for veterans and their surviving family members. The higher COLA would impact disability payments, clothing allowances, and compensation for surviving spouses and children of veterans. The cost-of-living adjustment would be determined by the annual COLA adjustment set by the Social Security Administration, and would go into effect December 1, 2024. Committee Chairman Jon Tester (D-Mont.) and Ranking Member Jerry Moran (R-Kan.) are leading the bill.
  (Tester, Moran push for cost-of-living increase for veterans - Senate Veterans Affairs Committee)

The post Oregon Senator fed up with data breaches, blasts Big Tech, demands mandatory standards first appeared on Federal News Network.

Contractors and federal managers agree: It is difficult to keep up with all of the cybersecurity rules and regulations. The parade of new proposals never ends. American University has a program that might help. It is a series of online discussions with people who know policy. For more, the Federal Drive with Tom Temin spoke with American University senior lecturer Dr. Sasha Cohen O’Connell.

Interview Transcript: 

Tom Temin I should say you’re not just a lecturer there, but you host podcasts that talk about cyber security policy. How do you keep people awake through that?

Sasha O’Connell Oh, it’s more exciting than you might think. Of course. Yes. A brand-new podcast series in partnership with our colleagues both at CrowdStrike and Wylie Ryan.

Tom Temin All right. And I guess the bigger question is what is going on that people need to go out of their way to get more understanding of cyber regulations just seem to be like tulips popping up everywhere.

Sasha O’Connell Absolutely. Even in my time, I’ve been back in American University full time for five years teaching U.S. cyber policy, and I was just saying to my class yesterday, the blooming, to keep your analogy in terms of activity with the government side around cyber policy is just an explosion is really impacted the way I teach. I think a couple of things drive that. One is, of course, the threat and the changing nature of the threat, both nation state actors and criminal actors. And that increased activity over time. Not new but continuing to increase. In addition, I think there’s a change in leadership in government over time, folks who are perhaps more up to speed on these issues and able to make decisions both in the executive and legislative branch. And then I think, frankly, some political will, right, given the nature of the attacks we’re seeing to act and to do think about it. So, we’re starting to see that across government. And that’s generating a lot of conversation and need for educational materials, which is what brought us to the podcast.

Tom Temin Plus the publications of regulations and policies themselves can be daunting. CISA, for example, just came out with a new rule on incident reporting for small businesses. Nobody knows who’s affected by this, but the rule was something like 500 pages. That’s a dense 500 pages. That’s part of the challenge, isn’t it?

Sasha O’Connell Absolutely. I think it’s in the 400, 447. In the most recent call for comment, the NPRM around CIRCIA at which I know you guys covered last week as well. Absolutely. It is daunting. This whole theme of incident reporting is actually our first topic of the podcast. And because whether it’s the new SEC rule or rules coming out of CISA on the heels of CIRCIA, we know that folks need some context, right? They need some history, some context, and some materials that sort of, we call it start here. Right. A place to start to understand the context of these issues before you start to dive into all the details. And we also know that there’s new people working in this space, or people for whom these topics are new, and they need some primers and access to that kind of information. And that’s, again, the impetus for this podcast. And incident reporting is exactly where we start.

Tom Temin And so much of the cybersecurity discussions, coverage, articles, media pieces and so forth concern cybersecurity practitioners and how to stay ahead of threats, understand the threat environment, responses, and all of these cyber operational things. So, do those people need to be better versed in policy, or who is it within an organization that should be versed in policy, even if they’re not coding the next counterattack type of thing?

Sasha O’Connell This is exactly one of the changes that’s happened at the moment, sort of in the last five years. It used to be the job for FBI, you know, the precursor to CISA and PPD, CISA folks who cyber was their day job. But now I like to say it’s truly cyber for all. Right. Certainly in government, if you work at HHS, as we saw with the most recent hack relevant to the health care system, if you work at EPA and you’re worried about clean water, as we’ve seen in recent mornings in that sector as well, there’s really no spot in government that doesn’t have a cyber policy component to what they do. At a minimum, they’re responsible for protecting their own data, right? The data internal to those departments and agencies or on the Hill, if you think about the data managed there. And then there’s that piece within. There’s the externally inter-agency, you know, bigger picture policy piece that focuses on the customers of these departments and agencies. Right. And there are equities and authorities across the board.

Tom Temin We’re speaking with Sasha O’Connell. She’s senior lecturer at American University and host of a podcast series on cyber security policy. And I wanted to ask you about, maybe based on your experience, we should note long term at the FBI before coming to academia and so forth, where you were involved with cybersecurity policy. Often the complaint comes especially from industry, but also from government practitioners that there seems to be, let’s say, a want of coordination of policy creation among the federal entities themselves. Is that an issue that you cover and. You feel that is an issue?

Sasha O’Connell Yes of course. Better coordination and deconfliction. It’s something that’s always being worked on. As you mentioned, I spent about 15 years at the FBI, and one of my last roles was to stand up and lead a new office that was facing the National Security Council to work with the White House on those policy issues where the FBI had equities. And through that NFB process that many of your listeners I’m sure are involved with, is that effort at coordination. You know, especially now in an area like cyber where there’s so much growth and population of use and the blooming of interest in regulation and legislation, convenings and voluntary standards, it is more important than ever through those processes that those things are being coordinated in cyber as well. We see a ton of activity at the state level. So, all 50 states have their own victim notification laws, for example. And that’s something that Washington and I know the Biden administration is super aware of and working hard, both here in the US and also relevant to our international partners, making sure that global companies have those kind of crosswalks and deconfliction information and where possible, that things are reconciled because it is a huge challenge.

Tom Temin And it’s also true that the number of agencies is kind of spreading. I mean, you’ve got DoD and many components there and a couple of different components of Homeland Security, Justice Department. But now the FTC, the SEC, the FCC, everybody seems to be maybe even the FAA jumping into cyber and cyber policy. So, it sounds like this is something that’s going to not go away, is it?

Sasha O’Connell No. Absolutely not. In my classroom, I use the bubble chart from the early 2000, which is maybe some of our listeners remember a PowerPoint that we used to walk around and show roles and responsibilities in cyber, and it had 4 or 5 agencies. And then there’s a great 2020 GAO report that shows a nice graphic of all the departments and agencies with cyber responsibility. And I think it’s about 25. Right. So, your point is super well-taken. And again, it really is cyber for all. And again, why we think this need to fill the gap in terms of foundational educational materials is so important, both for current leaders in government and for future leaders studying cyber now.

Tom Temin And what about the contractors? It would seem that they need to keep on top of this. I think they know they need to, because the implication is not simply that you will lose data or get hacked and all of this, but then you’ll get hit with False Claims act, for example, or in the case of the SEC, they would like to, you know, arrest you and pillory and find you and so on. I mean, its dangerous territory, isn’t it, for contractors, companies 100%.

Sasha O’Connell And it’s particularly relevant because one of the levers is, you know, that the executive branch has, in terms of being able to raise the bar in cybersecurity is, of course, through contracting. Right. And the standards they set through those opportunities. So, absolutely, this needs to be front of mind for all government contractors to keep an eye on that, because it is a place where there is a lot of activity and change going on. Absolutely.

Tom Temin And just quickly, from the standpoint of being at American University, is this an area that you see growth of interest in incoming students?

Sasha O’Connell 100%, so much so that in the last three years we have created a graduate certificate, a non-technical certificate, specifically in cyber policy and management. So, when you come perhaps for your master’s degree in public administration thinking you want to be maybe a city or town manager, we now have that opportunity. Right. Because if you don’t get a little something, the four corners on ransomware, for example, before you head out to lead, even at the state and local level, let alone the federal level, it’s really a huge gap, both in terms of getting jobs and being impactful when you get there. So yeah, we see the demand both at the undergraduate and graduate level. And again, at AU, we’re specifically focused on that policy piece, that intersection of the law with the technology, with the functionality of government.

The post Leading university offers way to keep up with cybersecurity policy first appeared on Federal News Network.

A few years ago, the Defense Department drafted a legislative proposal to get rid of principal cyber advisor positions across all services.

While this idea didn’t make it out of the Pentagon, three-plus years later, Chris Cleary, the former principal cyber advisor for the Department of the Navy, said that was a good thing.

Cleary, who left government recently and joined ManTech as its vice president of its global cyber practice, said the impact of the principal cyber advisor in the Navy is clear and lasting.

“This is challenging because all the services in the very, very beginning wanted to get rid of the principal cyber advisors. There was a legislative proposition that was trying to be submitted and Congress came over the top and said, ‘No, you’re going to do this,” Cleary said during an “exit” interview on Ask the CIO. “So year one in the job, I make the joke, I was just trying to avoid getting smothered by a pillow because no one wanted this position especially after we just stood up the re-empowered CIO office so what’s a PCA? And what’s this person going to do for the organization? I was very attuned to that and ready that if the decision is to push back on this creation, and maybe do away with the PCA job, I was just going to go back to being a chief information security officer. I was being a good sailor and focused on whatever are the best needs of the Navy. I was prepared to do that.”

The move to get rid of the principal cyber advisors never came to fruition and, instead, the Navy, and likely other military services, now see the value in the position.

Cyber advisor wields budget influence

Cleary said one way the principal cyber advisor continues to provide value is around budgeting for cybersecurity. He said each year his office submits a letter on the “budget adequacy” to the Defense Department’s planning process, called the Program Objective Memorandum (POM).

“I found that the PCA office really became the champion for advocating and supporting programs like More Situational Awareness for Industrial Control Systems (MOSAICS), which was a thing we were doing for operational technology systems ashore, and another product called Situational Awareness, Boundary Enforcement and Response (SABER), which was its cousin and for OT stuff afloat,” he said. “What you found is both of those programs are being championed by hardworking, honest Navy employees that just couldn’t break squelch to get a properly resourced or funded or programmed for. The PCA was able to champion these things within the E-Ring of the Pentagon. Things like MOSAICS, as an example, I am very proud of, we worked very closely with the Assistant Secretary of the Navy for Energy, Installations and Environment, Meredith Berger. She very quickly recognized the problem, most of this fell kind of within her sphere of influence as the person responsible for resourcing all of the Navy’s infrastructure. She very quickly embraced it, adopted it and hired an individual within the organization to look at this specifically.”

Cleary said over the course of the next few years, he worked with Berger’s team as well as other cyber experts in the Navy and across DoD to do deep dives into how to secure OT.

When the Defense Department rolled out its zero trust strategy in November 2022, the services faced more challenges around operational technology than typical IT. Cleary said the PCA helped the Navy better understand the OT stack was more complex and the tools used for IT wouldn’t necessarily work.

“The further you get down closer to an actual device or controller you can’t just roll a firewall out against that,” he said. “They have their own vulnerabilities and risks associated with them. But they’re things that we haven’t traditionally looked at when you when I’m talking about OT, like weapon systems, defense, critical infrastructure, these massive foundation of things that not only enable what we do from an enterprise IT standpoint,  but we’ve got to keep the lights on and the water flowing, and the Aegis weapon system has lots of computers with it, but that isn’t an enterprise IT system so who’s looking at those, who’s resourcing those, it’s only been the last decade or so that we’ve seen a lot of these is legitimate target areas.”

Champion of attention, resources

Cleary said his office helped get the Navy to spend more money and resources on protecting operational technology because it wasn’t always a top priority.

The OT example, Cleary said, is exactly why Congress created the PCA.

“We didn’t do any of the work to create these things. We just champion them appropriately and ensure they got the attention they deserved. And then ultimately, the resourcing required so they can be successful,” he said.

Cleary said it was clear that after three-plus years as the principal cyber advisor for the Navy, the benefits outweighed any concerns.

He said with the cyber world becoming more convoluted and complex, the position helps connect dots that were previously difficult to bring together.

“I think Congress would come and ask a question and they would get 10 different answers from 10 different people. I’m not saying we got there. But the idea of the PCA was to get those 10 different answers from 10 different people and then try to consolidate that answer into something that made sense that we could agree upon and present that answer back to Congress,” he said. “I’m not going to say we fully succeeded there because there are a lot of ways around the PCA and the PCA offices, but I think as the offices get more and more established, organizations like Fleet Cyber Command for the Navy, the Naval Information Forces and others were seeing the benefit of the PCA’s job to be the middleman and deal with the back and forth.”

Continue to create trust

Cleary said toward the end of his tenure, these and other offices, including the Marines cyber office, started to work even more closely with his office on these wide-ranging cyber challenges. He said the principal cyber advisor was slowly, but surely becoming the trusted cyber advisor initially imagined.

“I use the analogy of a fishing line, when you start pulling out a fishing line and you’re not sure what the weight of the fishing line is, but if you break the line, it’s over. So the trick was to pull on it with just the right amount of tension without risking or breaking it,” he said. “I knew the PCA office was something new and if the relationships with those organizations became tenuous, or were cut off because of the PCA coming in and say, ‘Hey, you shall do this or that,’ it wasn’t going to work. The way I envisioned the role of PCA was not to tell anybody inside the organization how to operationalize their own environments. My whole job was to go to them and understand what it is they needed, based on their experience and their expertise, and then get them that. The more that I could be seen as a value and not here to check their homework and poke them in the eye about their readiness, the more successful I’d be.”

Cleary said for the principal cyber advisor to continue to be successful, they have to continue to establish trust, understand their role is personality driven and focus on getting the commands the money and resources they need to continue to improve their cyber readiness.

The post Why the principal cyber advisor ended up being a good thing first appeared on Federal News Network.

I spent more than two decades holding numerous roles in the U.S. government, including helping to write the initial implementation of the CMMC framework. Now after seeing those rules in place, plus working on the other side of the fence helping enterprises scan for externally visible third-party cyber vulnerabilities, I see that the original CMMC framework did not go far enough when it came to validating the appropriate cyber defenses were in place, especially those deep in a contractor’s supply chain. The reliance on self-assessments allowed for critical gaps in compliance.

To fully understand the changes and their expected impacts, it’s important to first understand the threats that drove them into existence.

Over the past decade, cyber threat actors have increasingly turned to third-party and supply chain ecosystems to reach high-value targets. Alarmingly, recent research shows a 26% increase in reported negative impacts from supply chain cyber breaches, disrupting operations, and highlights the growing threat. Even more alarmingly, the U.S. government is no exception. In fact, U.S. critical infrastructure and the DIB are key target networks for both nation-state actors, as well as independent hackers or hacking groups.

Despite the severity of these threats, systemic issues of non-compliance with CMMC remain, largely due to organizations self-assessing. According to a recent OIG report, in many cases, proper security requirements were not in place, which left entire ecosystems completely vulnerable. The cost of this kind of oversight is extremely high as compromises related to the organizations could deliver a negative effect on national security.

Translation: We’re ripe for improvement.

While DIB members have long been anticipating “CMMC 2.0,” compliance with related regulations, mainly DFARS 252.204-7012 (DFARS 7012), has been mandatory since 2017. DFARS 7012 aligns with the existing accepted regulatory framework, the National Institute of Standards and Technology’s 800-171 Rev 2, a requirement also mirrored by CMMC Level 2. However, the recently proposed CMMC rule change introduces third-party assessments, differing from DFARS 7012’s self-attestation and unverified self-reported scores.

Even more encouraging, the proposed rule specifies the type of required CMMC assessment at every tier of a defense supply chain. While there had previously been some ambiguity around how these requirements would “flow down” from a prime contractor to their subcontractors, the new CMMC model has established clear accountability mechanisms for upstream and downstream supply chain cyber risk.

That said, any regulatory framework can only go so far. The path to cyber resilience is ultimately a shared burden between the Defense Department and its suppliers. Many of the critical vulnerabilities susceptible to attack are often hiding in plain sight; ensuring direct and swift communication between DoD and DIB security teams is often the hardest, but most important, operational hurdle to overcome.

The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously. There is a long road ahead, but with it comes meaningful improvement that will effectively reduce cybersecurity risk and increase industrial base resilience in the long term. Once the final CMMC rule is in effect, these changes will go a long way to make the DIB more secure.

Lorri Janssen-Anessi is director of external assessments at BlueVoyant.

The post The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that first appeared on Federal News Network.

Download this exclusive Federal News Network Expert Edition now!

The post Securing the Nation: Deep dive into federal SOCs first appeared on Federal News Network.

The Cybersecurity and Infrastructure Security Agency is readying the playing field for its major “Cyber Storm” exercise intended to simulate the response to a large-scale cyber incident on critical infrastructure.

The biannual exercise kicks off this month, as CISA rewrites the National Cyber Incident Response Plan for dealing with such an event. It also takes place as officials warn that real-world hackers are targeting, and sometimes successfully infiltrating, U.S. critical infrastructure networks.

More than 2,000 participants from government and industry will be involved in this year’s iteration of Cyber Storm, the ninth such exercise that’s taken place since it began in 2006.

Lisa Beury-Russo, the associated director for exercises at CISA, said the “players” come from sectors including chemical, communications, critical manufacturing, the defense industrial base, energy, financial services, food and agriculture, healthcare and public health, information technology, transportation systems, and water and wastewater systems.

“It’s a pretty big list, and we are hopeful that we’ll see a lot of really good cross sector interaction there,” Beury-Russo said in an interview.

Over the course of the one-week exercise, participants will receive “exercise injects” that describe how their organization is being affected by the incident. They will then have to respond using whatever policies and procedures are in place, Beury-Russo said.

CISA will also provide a “simulated world view” involving news feeds, videos and other simulations to help mimic the real world.

Beury-Russo declined to name the specific threats, technologies or scenarios the participants will encounter as part of this year’s Cyber Storm, citing operational security reasons, as well as to avoid tipping off the players. Previous exercises have folded in specific technologies, like industrial control systems.

But Beury-Russo said one of the overarching goals is to practice “information sharing” during a major cyber incident affecting multiple critical infrastructure sectors.

“Is information being shared across the player set, among government partners, from government to critical infrastructure owner operators, and within and between sectors,” she said. “Is the information shared actually useful? Are we sharing the right things? Are we sharing quickly enough to enable folks to take effective action?”

“We also look at whether and how plans are implemented,” she added.

The event comes as CISA rewrites the 2016 National Cyber Incident Response Plan at the direction of last year’s National Cyber Strategy. The plan lays out how both government and industry will respond to significant cyber incidents.

CISA plans to publish the updated plan by the end of this year.

Meanwhile, U.S. officials warned earlier this year that a China-linked hacking group, “Volt Typhoon,” has targeted multiple U.S. critical infrastructure networks. Agencies said the group’s activities had been found on some networks for upwards of the last five years.

Beury-Russo acknowledged Cyber Storm is happening “at an important time.” She said the exercise will help inform the rewrite of the National Cyber Incident Response Plan.

“One thing we found in prior exercises, is that often, our industry partners don’t really fully understand the actions and the processes included in the plan,” she said. “One thing we’re looking at is to make some of those things a little more clear in the rewrite. We’re talking very closely and working collaboratively with our team in CISA who is working on that to help share those findings, and see what kind of initial pieces of the update we can look at in this exercise.”

Ultimately, the goal of the exercise is to make sure when the incident response plan is needed in the real world, it won’t be the first time agencies and industry are going through the process.

“We don’t want to wait for a huge cyber incident data breach to happen,” Beury-Russo said. “We want to work in a safe environment in steady state operations to really stress test those plans and procedures and make sure we are ready because in cybersecurity, it’s not ‘if’ but ‘when’ there will be an incident. So we want to make sure we are taking these opportunities where we can to operate in a safe space and really figure out what’s working, what we can do better and tackle these problems as one cohesive community.”

The post CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan first appeared on Federal News Network.

Organizations — both public and private — have been scattering billions of Internet of Things (IoT) devices all over the world. These devices are typically low-power and have low computing capacity. Yet they are still potential entry points for cybersecurity attacks. Now the FCC has established a voluntary cybersecurity labeling program for IoT devices, as well as some proposed rules. For details, the Federal Drive Host Tom Temin talked with Katy Milner, a partner at Hogan Lovells.

Interview Transcript: 

Tom Temin First of all, let’s talk about the voluntary labeling. Who does this apply to? What kinds of products does this apply to and what on earth do you put on a label that says what?

Katy Milner Yeah, let’s unpack that a little bit. This is a new program for Internet of Things devices. There are billions of devices that make up the Internet of Things that we use in our daily lives, from smart thermostats to fitness trackers to connected appliances. And there are concerns that these devices may not always be properly secured. People often rely on the default passwords. There’s no guarantee that these products the software will be updated as vulnerabilities are identified. So, the FTC has concerns that consumers and users don’t have the right information to really evaluate whether the product they’re purchasing has cybersecurity protections. So, what the FCC has done is attempted to fill that gap with this new cybersecurity IoT labeling program. It applies to wireless consumer devices. And there are a couple carve outs. It doesn’t apply to motor vehicles or motor vehicle devices or devices that are already regulated by the FDA, because those have other regimes that they’re subject to. But these are the devices we commonly find in our homes and that are often used as part of greater systems. So, it’s anything that’s emitting radiofrequency energy and has a network interface like Wi-Fi or Bluetooth.

Tom Temin So the federal government doesn’t buy a lot of the stuff itself. I mean, you’re talking about ring doorbells and that kind of jazz. Although the GSA got in trouble for buying a consumer grade webcam that they put in their conference rooms, it was made in China. What about industrial control sensors, things that are out on pipelines or on the electrical grid, that type of thing. Or airborne drone mounted sensors. These are all IoT things. What about them?

Katy Milner Right. Yes. For drones? Yes. Because those would be used by consumers and may be a product that is used by both consumers and for federal purposes, and that would be eligible to receive this label. Anything that’s not marketed to consumers probably would not fall into this category. As we discussed, there are considerations for federal agencies and federal procurement that don’t flow out of this, too.

Tom Temin Well, before we get to that, just a quick question on the FCC. What will it have to do to I mean, if it’s a voluntary program, does it put it out there and say, does it have guidelines like nutrition labels? Here’s what it should say and in what format? That type of thing.

Katy Milner You’re on the right track there. The FCC has set forth in its March 23rd report, in order the overall structure of what this program will look like and set forth the criteria that products will need to meet to obtain the label. But there’s still a lot of work to be done. There’s going to be a public private partnership of sorts in actually developing the program, because the FCC will be seeking applications for a cybersecurity label administrator that’ll be responsible for the day-to-day aspects of it.

Tom Temin Right? So, it could be stickers. It could be tags. I mean, some things are too small to have a sticker on them and.

Katy Milner Say, yes, yes, they did specify that there’s going to be an actual cyber trust mark, kind of like the energy star labels we see we’re used to seeing on devices that the consumers will be able to view. And then there will also be a QR code that’ll link to a registry with more information about the product and its cybersecurity features. Both the labeling process and this new registry are going to need to be set up still.

Tom Temin And so much of the stuff comes in great quantities from China. Probably a lot of it’s sitting in Baltimore Harbor as we speak. Somehow they have to convince people in China to put labels on, and then that those labels certifying their cyber security status are, in fact, true.

Katy Milner That’s right. The labeling process attempts to control for that, and that there’s a two-step way for manufacturers to obtain the label. First, they’ll need to have their product tested by a certified lab. And once they get the conformity report, then the Cybersecurity Labeling Administrator will review everything to make sure it’s verified. And then at that point, the manufacturer will be able to use the label. But there are definitely concerns that once labels on there, how do we know that the product actually meets the standards that the representations the manufacturer is making about continuing to update it are actually happening?

Tom Temin We’re speaking with attorney Katie Milner. She’s a partner at Hogan Lovells. And you mentioned there are federal procurement regulations regarding this labeling program, because at some point, these devices will cross over into what might be acquired for federal use.

Katy Milner That’s right. Yes. Even though this is a voluntary program. And on the face of it, it is not putting new contract requirements for federal contracting. We’ve often seen standards developed by NIST, the National Institute of Standards and Technology make their way into federal procurement contracts. So, if the government is procuring Internet of Things devices, the contract terms may say the product is eligible to receive the cyber label. The product meets the standards under the FCC cyber label. That may be the new baseline that we’re seeing in these agreements. So, I think both participants and any manufacturer are going to be curious to see how this program evolves. And they may find it useful just to be a competitive differentiator for their products, that it’s able to obtain this label.

Tom Temin Because there is another class of products which in fact are IoT devices, but they’re not marketed as such and not considered in the same use cases. I’m thinking of things like printers, for example, which have hard drives, and they have IP addresses, and they have wireless connectivity, and there’s a lot of high-end consumer type of devices that you might see in an industrial or business setting. And then there are the, you know, the floor standing types of printers that are in big offices. And those are internet connected in that sense, they’re IoT devices. Do you anticipate this program could migrate upwards to anything that is not that are standing alone and operating, that’s not actively keyboard by a human being?

Katy Milner Oh, certainly. I think printers are within the realm of types of devices. They were interested in being subject to this program. So, there’s so many connected devices around us that we don’t even notice anymore. But if they do have this ability to connect to the network at large, that’s going to be a device. They need to consider these requirements.

Tom Temin Yes, because by definition those things are useless unless they are connected to the net.

Katy Milner Right. And by the fact of their connection, that’s what’s introducing these security vulnerabilities that we’re concerned about, both for hacking and malicious behavior, but also the threat of national security issues from espionage, particularly in the government context.

Tom Temin And what is the timeline or intended schedule of this FCC program to get, at least at the rudimentary level here, till there are labels on doorbell chimes.

Katy Milner The FCC has set an aggressive timeline. I have heard that they want this program to be up and running by January of next year. And with the March release of this report in order and setting forth these next steps, there’s a lot to be done in the next few months to nail down the details and get this program up and running. So, it’s going to be fast moving from here.

Tom Temin And does this program have teeth, any way of enforcing the fidelity of the labels, and also just the fact of having them on there in the first place?

Katy Milner Yes, the FCC addressed that in its report, in order. One of the principal enforcement mechanisms that they’re going to be doing is post-market surveillance. So, the program administrator will be buying products off the shelf and sampling them to make sure that they actually meet the standards FCC specified. It will take administrative remedies and civil litigation to address noncompliance. So, if a manufacturer is fraudulently using the label, they could be prosecuted by, we’ve been talking about FCC, but the Federal Trade Commission as well, for deceptive practices or even trademark infringement for using the label without being authorized. Yes.

Tom Temin So there’s 3 or 4 agencies that could jump in and stomp if it doesn’t work. Was this something that the FCC adopted unanimously because they don’t agree on much these days.

Katy Milner Like the rest of the government. But this one the FCC adopted unanimously; the commissioners agreed that something needed to be done to plug this information gap that consumers have about the security of their devices.

The post Federal cybersecurity blanket stretches to cover Internet of Things (IoT) devices first appeared on Federal News Network.

Zscaler makes a key hire of a former federal technology leader to expand its global reach and influence.

These are two of the most recent federal executives on the move.

Eric Hysen, the DHS chief information officer, announced on Monday that Hemant Baidwan will be the new CISO, taking over for Ken Bible, who retired on March 29.

“Hemant has been instrumental in enhancing the department’s cybersecurity posture,” Hysen wrote in an email obtained by Federal News Network. “His background spans both the public and private sectors, where he has excelled in IT development, agile application deployments and strategic expansion globally.”

Meanwhile, Zscaler is hiring Brian Conrad, the former acting director of the cloud security program known as FedRAMP, Federal News Network has learned.

Conrad, who left the General Services Administration on March 22, will be the new director of field compliance authorizing authority liaison.

“We want Brian to own all the relationships with all the FedRAMP-type of agencies or organizations across the globe,” said Stephen Kovac, the chief compliance officer and head of global government affairs at Zscaler. “Many countries have similar organizations like FedRAMP, which act as an authorizing agency. Many are going down the path of secure by design as well, which we think will be huge internationally, so you’ve got programs that are maturing and may not be where FedRAMP is today, but all are trying to mature their processes. Brian has worked with all these folks over the years, but has been more of a friendly coach to many of these agencies. By him joining, this will allow us to build out global practice and build those relationships.”

Kovac said companies ranging from Japan to Singapore to Spain to India to United Kingdom are maturing their cloud security oversight organizations.

He said Conrad can bring a technical acumen to the conversation that will benefit Zscaler as well as the organizations themselves.

“From the earliest days of the FedRAMP program, Zscaler has been an innovator, working to ensure the federal government can deliver modern digital government services, securely,” Conrad said in a release. “Implementing a zero trust cybersecurity framework is mission-critical for every organization, and we must stay focused on separating the signal from the noise. I’m excited to join a team that aligns with my vision of building a secure global digital ecosystem.”

Conrad’s decision to join Zscaler comes after he spent the last five-plus years working for GSA. He was the acting FedRAMP director for the last three years.

GSA is hiring a new FedRAMP director and held information sessions about the position on Monday and today.

Before joining GSA and FedRAMP, Conrad was an officer in the Marines Corps where he worked the Marines Systems Command, the Marines Corps College of Distance Education and several other commands. After retiring from the Marines Corps, Conrad worked at Booz Allen Hamilton before coming back to federal service.

Similar to Conrad, Baidwan joined the government after spending the early part of his career in industry.

Baidwan has been the deputy CISO at DHS since 2021 and has worked in the CIO’s office since 2015 in an assortment of cyber roles.

He also worked at the Immigration and Customs Enforcement directorate as the governance and risk management section chief.

With Baidwan taking on the new role, Hysen said Antonio Scimemi will be the acting CISO. Scimemi has overseen the CISO cybersecurity assessments division and led the effort to develop the agency’s unified cyber maturity model.

He also was the deputy CISO and acting director of IT operations at ICE.

The post DHS hires new CISO; Former cloud security lead lands new job first appeared on Federal News Network.

“There are a good number of support systems that support those weapon systems and are essentially IT systems just like our normal networks and computers. We do believe that those should be covered because they’re part of the NIPR and SIPR landscape,” David McKeown, DoD’s chief information security officer, said during the DoD Zero Trust Symposium Wednesday.

“The actual weapon system platform — we’re going to continue to work on how we might employ that. But all the support systems related to weapon systems —which are also sometimes referred to as part of the weapon system or weapon system themselves, if they are network-based, application-based — yes, they should get covered by the mandate.”

Retrofitting zero trust into some weapon systems that have already been built is nearly impossible, but the Defense Department’s chief information officer’s office will work to get the IT infrastructure for functions such as command and control or logistics and maintenance to the zero trust target level by 2027.

“As we go forward, we’re going to keep looking at other areas too. Zero trust on weapons systems is going to be a heavy lift. We’re going have to figure out how to do that. It’s one thing to do this on networks — another thing is to do it on a weapons system or weapon platform, operational technology and so on,” DoD CIO John Sherman said.

In 2018, the Government Accountability Office reported that the DoD was “routinely” finding cyber vulnerabilities in its weapons systems late in the development process. The department made some progress by 2021, but it was failing to incorporate cybersecurity requirements into contracts. The watchdog agency said some contracts didn’t have language for cybersecurity requirements at all.

Including OT, weapons systems cybersecurity from the beginning

Daryl Haegley, Air Force technical director of control systems cyber resilience, said it’s critical that the DoD includes operational technology into all the planning processes as it moves forward with zero trust implementation.

“Just one of the biggest things I’d really like to see is including OT in all those planning processes to ensure that as we talk about how we’re going to integrate a solution — that we’re considering the full gamut from the OT to the IT. We still have yet to find an IT system that can operate without OT. Yet, we still continue to not apply cyber to OT,” Haegley said.

Last year, Haegley’s team conducted a zero trust pilot at Spangdahlem Air Base located in Germany. The team sent to the base was able to target 38 out of 91 activities to protect five water systems and two wastewater systems.

The Zero-Trust Portfolio Management Office funded the pilot, which became operational in December. While the project showed promising results when it comes to securing OT using zero trust principles, gaps in coordination, among other challenges, persist amid DoD’s efforts to apply zero trust not only to networks but operational technology systems as well.

“It was great to see that there’s a lot of innovation out there and vendors have [zero trust] solutions that can be applied to OT. What we learned from that process, though there just wasn’t that coordination with the rest of the Department of the Air Force,” Haegley said.

The post Zero trust for weapons systems will be a ‘heavy lift’ for DoD first appeared on Federal News Network.

In an exclusive new ebook, discover how the Consumer Financial Protection Bureau, the Department of Health and Human Services and Akamai are tackling zero trust. Also, learn how cyber research builds on zero trust at the Pacific Northwest National Laboratory.

Download the ebook now!

The post Defending critical assets from increasing security threats first appeared on Federal News Network.