Security leaders widely cheered the laundry list of requirements handed down by the Biden administration this week to shore up security across federal government. But at the same time, agencies are left to wonder where they’ll find the resources to actually comply.
The draft memorandum, released Tuesday by the Office of Management and Budget, requires major progress on the part of agencies by 2024 in the areas of identity management, device and asset tracking, encryption of federal network traffic and software testing. Arguably more granular than past federal cybersecurity directives, the requirements now provide agencies with specific guidelines defining how President Joe Biden's executive order on improving the nation's cybersecurity will be realized.
But these agencies still have to figure out where to find the funding.
“I think the executive order and the recent policy guidance are exciting, moving the federal government and the nation in the right direction,” said Sheena Burrell, deputy chief information officer at the National Archives and Records Administration (NARA), during a panel discussion hosted by the Bethesda, Maryland chapter of non-profit association AFCEA. “But it didn't come with a boatload of resources… The budget cycle and the executive order did not align. So while agencies are working on their 2023 budget submissions, they need to address these executive orders right now. Some agencies – we don't have the resources to actually execute on them. We’re trying to figure out what is our priority.”
Burrell does note that guidelines that support the executive order are, to some degree, a continuation of the cybersecurity modernization roadmap that OMB started years ago. And while the timeline may be condensed, TJ Richardson, deputy director of cybersecurity operations at the Department of Health and Human Services, pointed during the panel session to existing standards that contribute to a similar IT security foundation: the Trusted Internet Connections (TIC) initiative – most notably TIC 3.0, released in July 2020 – and the Special Publication 800-207 from the National Institute of Standards and Technology, released a month later, which establishes the tenets of zero trust and the logical components of a zero-trust architecture.
“These really aren't new concepts. There are things to build on,” said Richardson, who is a member of the Federal CISO Council TIC Subcommittee.
“We have had examples to follow, architectures where the flexibility was handed to us to go to the cloud and make sure we're building in security at every step of the way," she continued. "There's guidelines, use cases. It's all there.”
Similarly, some of the funding needed to comply with the Biden order would filter from existing budget requests. Burrell already asked for funding to support multifactor authentication efforts, for example, so the policy “kind of just put a nice bow on it.”
In terms of additional funding resources, many agencies may look to the Technology Modernization Fund. TMF was authorized by the Modernizing Government Technology Act of 2017, providing incremental funding and technical expertise to ensure technology project success. To date, the TMF has received $175 million through the annual budget process and $1 billion through the American Rescue Plan to fund modernization projects.
“I think we're all going through the budget cycles, and a part of that is TMF funding,” said Mittal Desai, CIO at the Federal Energy Regulatory Commission during the panel. FERC regulates the transmission and wholesale sale of electricity and natural gas in interstate commerce and regulates the transportation of oil by pipeline in interstate commerce – meaning executive orders tied to the critical infrastructure also have a direct impact on operations.
“We're putting requirements into our proposals, as many agencies are, for TMF to augment some of our appropriations that maintain our day-to-day operations,” Desai added.
Likewise, NARA will submit for TMF funding for efforts to modernize high value assets and to enable a zero-trust architecture.
“That's what the American Rescue Plan funds were put there for,” now with more flexible guidelines in terms of payback, Burrell said. “We didn't have that money and we didn't have those resources when these [orders] came out. And that was what the genesis of the Technology Modernization Fund was about. But we're also going back and having some of these conversations – how we make some shifts knowing that we were not planning for this type of comprehensive policy change in the middle of the year.”