The SolarWinds hack spurred rapid response from security leaders across government and industry. For Kenneth Bible, the chief information security officer of the Department of Homeland Security, it drove a methodical response that ultimately contributed to a new framework for securing the supply chain.
Bible, who spoke during an opening session at the SC Government eConference, joined DHS in January from his prior role as deputy CIO of the Marine Corps — “in the peak of the response actions for SolarWinds,” he recalled. He prioritized a partnership approach to remediation, working directly SolarWinds to assess the damage and develop a response plan.
“We literally formed up a team from my federal workforce to go out and work with the CISO at SolarWinds and gather artifacts associated with what they had done to remediate the issues,” he said. “And actually it was a very successful venture, and very cooperative engagement to analyze what had happened, what was being done to correct it.” That turned into a report that was delivered to the CIO by his CISO Council — the cybersecurity governing body for the department comprising all of the agency CISOs — and ultimately to the federal CIO Council.
From there, “we started to establish this pattern of how we would go look at products that were critical in our environment” to address associated risk, Bible said. He referred to that effort as one prong in what ultimately became a four-prong strategy for cybersecurity supply chain risk management. Another prong involved internal coordination to address cyber risks, so the procurement office would share with the security teams as standard the list of suppliers within a given program, for example, or the chief financial officer would coordinate with the security team to pay off the budget cycle for some sort of remedial action if a decision was made to remove or modify a component due to risk.
Another prong of the strategy involves evaluation of what is already in the environment to better enable asset management. DHS used the Technical Reference Model, which establishes the baseline of products within the department, and used open-source tools to gather intelligence that helped identify risks that were not being adequately tracked. Those risks could then be elevated again through the CISO Council, “so we can start to make informed decisions; do we want to keep on using those technologies or do we want to take those technologies out of the environment? That’s ongoing work.”
Finally, the fourth prong was established to promote good cyber hygiene within the contracting community. This was being addressed within the Department of Defense through the Cybersecurity Maturity Model Certification, which relied upon third-party assessments as a condition for getting a contract award. But Bible saw the approach as “a little bit too heavy handed” for the industrial base that supports the Department of Homeland Security. DHS “really didn't want to disadvantage small businesses, which have been kind of the heart of being able to innovate within the Department of Homeland Security," he said.
Instead, the department started a pathfinder effort back in the June-July timeframe to do an assessment of a vendor using existing Homeland Security acquisition regulation clauses that had existed since 2015, but were never exercised. What resulted was a “very productive effort to go look at a vendor that was handling controlled but unclassified information and assess them against some standards for cyber hygiene,” Bible continued.
Interestingly, DoD’s modified CMMC 2.0 seems to be following suit, “looking a whole lot more like what we were doing with our Homeland Security acquisition regulation,” he added, by deemphasizing the accreditation board. Bible is quick to note, however, that the most effective approach probably falls somewhere between strict third party assessments as a condition of contract award and self attestation that leaves agencies to simply take the contractors at their word. The reality is that industry has not yet earned the level of trust to enable the latter.
“I would like to be able to trust that when I came in and I did some sort of validation inspection after a contract award that everything would be up and up and that it would still be meeting the standard,” Bible said. But "I’m less comfortable with that based on the experiences that others have had when they actually peeled back the covers. We’ve really got to have industry focused on cybersecurity, building the reps and sets of a good cybersecurity culture in advance of an award; being able to show that the mechanisms are in place to drive cyber security within a company.
“And that's something that we've paid lip service to in the past," Bible continued. "But we've never really inspected what we wanted until we’ve already had a contract. We’re bending metal — building something and then deciding how we want to go address cybersecurity. And I think that may be too late. The cybersecurity culture is not something that you snap your fingers and automatically achieve.”