Recent reporting indicates that the Biden Administration is gearing up for a pivotal push to modernize federal IT infrastructure in accordance with Secure by Design principles, which reflect this administration’s consistent focus and ambitious goals with respect to federal IT modernization. Some of those efforts over the last two years have included:
- Executive Order 14028 tied IT Modernization to Zero Trust principles;
- Secure by Design/Secure by Default principles from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the cybersecurity authorities of six allied nations;
- The National Cybersecurity Strategy implementation plan; and
- CISA pamphlet on Quantum Readiness.
We encourage the administration to build on these efforts and ensure that they converge in a way initiatives that effectively supports security by design. After all, modernizing federal information systems will be a complex challenge. In order for the administration to deliver on its commitment to modernizing federal IT infrastructure to deliver secure constituent services, it will need to develop a robust multi-year strategy that integrates complex, ongoing policy initiatives, unites stakeholders around a mutual goal of promoting secure by design principles, and secures sufficient funding to drive meaningful outcomes.
To promote these outcomes, the administration should keep in mind the following four areas as it maps out its IT modernization roadmap to promote Secure by Design principles:
Zero Trust Architecture
Despite the progress made to date, federal agencies still face a multi-year transition before the federal enterprise can meet its Zero Trust objectives. The currently ongoing migration of federal information systems to a Zero Trust Architecture will require redesign of system architectures. Executive Order 14028 tied the notion of federal IT modernization to the administration’s Zero Trust objectives. As agencies develop their transition and modernization plans, it is essential that agency leaders can trust that they have multiyear planning security. To avoid downstream complications, the administration should empower executive branch agencies to evaluate the long-term implications of decisions that are being made right now and the total cost of ownership for the product lifecycle.
Quantum
The transition to quantum safety will require the redesign and replacement of critical parts of the infrastructure that underpins the public internet. The biggest challenge will be to accomplish this complex feat while maintaining full operability of the infrastructure that enables 21st century service delivery. The administration has taken important steps to outline a transition roadmap for quantum safety, research appropriate algorithms, and kickstart cryptographic discovery. It is important to keep pursuing this pathway even if it is still too early to confidently know where it will lead. Redesigning the root of trust of the physical infrastructure that underpins modern communications must be considered and integrated into any IT modernization plan to ensure interoperability moving forward. It is, therefore, critical that the administration adopt a multi-year mindset so that emerging technological developments can be seamlessly and securely integrated into existing systems.
Software Security
Any federal IT modernization plan will need to also consider the security of the software that will be deployed across systems. The Cybersecurity Executive Order focused Section 4 entirely on enhancing software supply chain security and produced a range of policy collateral, including guidance on software bills of materials (SBOMs), the Secure Software Development Framework (SSDF), a definition of critical software, and a self-attestation form for software producers to attest to their adherence to pre-identified security requirements. Currently, the Office of the National Cyber Director (ONCD) is requesting information on prioritization areas for open-source software security. More guidance is expected in the near future, including standardized contracting language and a legal symposium on software liability. Experience has shown that stakeholder acceptance was highest for those efforts that provided a robust public engagement process. These insights should be leveraged for the development of the federal IT modernization plan. To get stakeholders on board early on, the administration would be well-advised to prioritize the provision of a structured and transparent stakeholder engagement process.
Shared and Automated Services
Leveraging shared and automated services can drive performance and cost efficiencies for constituents and federal end-users. This dovetails nicely with current White House efforts to harmonize federal cybersecurity regulations. Duplicative regulations impact federal agencies as much as private sector ones. For example, in the law enforcement space, threat information sharing is complicated by conflicting sector-specific regulations. This negatively impacts national security and results in excess resources being focused on compliance rather than furthering security outcomes. On the other hand, programs like FedRAMP can facilitate risk information sharing between agencies. While not perfect, this can help eliminate or at least minimize the need for reauthorization of a given product. FedRAMP has also had great initial success with the adoption of the Open Security Controls Assessment Language (OSCAL), which has helped to reduce the time and resources to prepare, authorize, and reuse cloud products and services. Process automation through the responsible use of artificial intelligence and machine learning can further drive efficiencies. The administration should integrate the insights it gains from the regulatory harmonization RFI to identify areas where the IT modernization plan could leverage shared service models and automation to improve security outcomes.