Feedback on White House’s cybersecurity order: volunteering, grumbling, and some urgency
A presidential executive order in May calling for better cybersecurity, including multi-factor authentication and zero trust architecture, has had unexpected positive benefits among state governments and all-too-expected affects among federal agency CIOs.
A pair of recent stories in different trade publications look at how this spring’s order by President Joe Biden is playing out.
StateScoop listened in on an online discussion last week for IT officials. They said that although they are not, strictly speaking, required to act on an executive order (the state bureaucracies are independent of White House directives), they try to stay in step.
That is the case with the May 12 order calling for upgraded cybersecurity operations, including identity authentication. IT leaders from New York, Michigan, Texas and Florida said they have tried to adopt MFA and other requirements and policies that are applicable to their departments, resources willing.
Federal CIOs, no doubt because an executive order is not merely a suggestion, are itchier about the topic.
An article in FCW quotes top IT officers discussing the effect the cybersecurity executive order has had on them and their organizations, and resources come up repeatedly as a problem. The Department of Energy is yet to complete its MFA implementation despite the six-month deadline passing earlier this month, as the department has not yet worked out how to do so without locking “scientific collaborators” out.
Labor Department CIO Gundeep Ahluwalia reportedly told the publication that cybersecurity collaboration among agencies has improved thanks to the order, but some provisions remain unfulfilled because Labor does not have everything it needs to comply.
IT infrastructure is chronically outdated and even decrepit in some cases. There are some exceptions — NASA, some areas of Homeland Security, the Centers for Disease Control and Prevention — but virtually all corners are behind industry standards.
The FCW article points out that a $750 million reserve for federal IT upgrades called for in the President’s fiscal 2022 budget request, cannot make a meaningful across-the-board change.
The Defense Department has acted to upgrade digital ID systems, though it is not clear if recent moves are related to the executive order or concern at how successful and frequent attacks are getting.
Trade publication GovInfoSecurity has reported on the department’s campaign to create a zero trust office led by an as-yet-unnamed official who reports to Kelly Fletcher, CIO of the Department of Defense.
The publication notes that the urgency — the office is to be operational next month — follows the catastrophic SolarWinds attack, which has largely been placed at the feet of Russian actors.
Investments in zero-trust policies often involve biometric login systems.
David McKeown, cybersecurity deputy CIO for the department, is quoted saying that the aim is to “rational all network environments out there, prioritize and set each one of them on a path of zero trust over the coming five, six, seven years.”