Reframing the U.S. Government’s Approach to Cybersecurity Oversight

By Matthew Shallbetter, director of Strategy, Federal Civilian, at Armis

With the profusion of directives and guidance emanating from government cybersecurity oversight agencies, both houses of Congress are proposing legislation that aims to harmonize cybersecurity regulations across the federal government.

The Senate Homeland Security and Governmental Affairs Committee approved the ‘‘Streamlining Federal Cybersecurity Regulations Act” in July 2024 with bipartisan support, but the legislation stalled before full Senate approval. More recently, departing National Cyber Director Harry Coker used a January 7 farewell address to urge the incoming administration and Congress to continue to push to achieve harmonization of federal cybersecurity regulations.

While centralized cybersecurity oversight is important and often relates to critical issues, the number of directives and alerts issued can also inadvertently cause chief information security officers within federal agencies to move their focus to implementing the new policy guidance and away from basic day-to-day cybersecurity functions – tasks that may be viewed as mundane but are nevertheless essential to achieving agency goals.

Addressing this situation will require a recommitment to partnerships in cybersecurity oversight, not only on the part of oversight agencies but also end-user organizations that will need to step up efforts to collaborate with agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB).

This “all-hands” approach to cybersecurity would encompass contributions from across the government and emphasize cross-agency collaboration. It’s critical to break down the work efficiently.

Oversight agencies can start by adjusting the focus of the cybersecurity guidance and direction they provide to federal agencies to center on only the most critical issues while taking on more of the general oversight activities themselves (or delegating those responsibilities elsewhere when appropriate). Not every agency needs to request, collect and audit a software bill of materials (SBOM). Not every agency has the resources to assess the risks of quantum cryptography.

Still, CISA cannot secure the federal government alone, and agencies must not wait for CISA to do so. To secure their missions, agencies across the federal government should leverage the expertise and technology that agencies like CISA offer and combine this with their own capabilities to help modernize their cybersecurity strategies.

For example, CISA has been taking major steps to modernize the government’s Continuous Diagnostics and Mitigation (CDM) program and make it more relevant to the zero trust solutions and risk reduction efforts federal agencies are implementing. CISA is moving forward with CDM solutions that offer more agile operational tools, better and more impactful data, and simpler, real-time risk analysis. Agencies have an opportunity to integrate these capabilities to modernize their own CDM initiatives and make them a fundamental component of their cybersecurity strategies.

OMB is reinforcing this message in its FY25 Federal Information Security Modernization Act (FISMA) metrics, where agencies are not only challenged to rely on CDM capabilities for reporting their IT inventories but also to extend risk management into previously out-of-scope and undermanaged assets, such as internet of things (e.g., connected TVs, automobiles, cameras and speakers) and operational technology (e.g., building management solutions, air conditioning and heating systems, power grids, medical and lab devices). Agencies are better situated to address the threat to their citizen services from rogue devices. Aligning ratings to actionable measures provides the focus to drive funding where it is needed: delivering skills and capabilities that reduce risk.

Although agencies are poised to effectively track threats to federal government assets and devices, organizations like NIST and CISA have the resources for addressing future risks. For instance, recent guidance to agencies calls on CISOs to inventory any IT systems or assets that may contain vulnerable cryptography. Many agencies lack the time, resources and expertise to implement this guidance, and doing so would pull resources away from the nuts-and-bolts cybersecurity activities that must be undertaken by agencies every day.

Assistance with tasks like quantum algorithm audits from a designated oversight agency with in-house cybersecurity expertise would result in greater immediate protection by allowing agency personnel to focus on the most imminent threats while giving them a boost in preparation for future threats like quantum computer attacks.

At the agency level, cybersecurity should be viewed as an inherent part of doing business, not just for delivering services but also for quickly scaling resources with collective knowledge through collaboration with CISA and other agencies. While it won’t happen overnight, agency CISOs can make this a reality during their tenure if they actively engage in the process.

Shallbetter previously served as director of security design/innovation at the Department of Health and Human Services.