CISA’s New Cybersecurity Alignment Plan

Historically, cybersecurity efforts among federal agencies have been quite diverse and independently managed. But the Cybersecurity and Infrastructure Security Agency (CISA) wants to move all civilian agencies toward a more enterprise approach, at least for the civilian agencies.

CISA recently released their plan to align the cybersecurity efforts of all Federal Civilian Executive Branch (FCEB) agencies. CISA’s FCEP Operational Cybersecurity Alignment (FOCAL) Plan provides FCEB agencies with “standard, essential components of enterprise operational cybersecurity and aligns the collective operational defense capabilities across the federal enterprise.”

Priorities and Goals in CISA’s New Cybersecurity Alignment Plan

CISA has organized its new FOCAL plan into five priority areas that they consider essential to effectively positioning cybersecurity efforts across the federal landscape and that align with agencies’ Federal Information Security Modernization Act (FISMA) metrics and reporting requirements. Each of the five priory areas has one or more agency goals that will align them with an enterprise cybersecurity approach.

1. Asset Management – Agencies must properly account for and manage each individual IT asset to defend against attacks or determine risks posed by an insecure software product. Improving Asset Management is a core function of the Continuous Diagnostics and Mitigation (CDM) program and a mandate under CISA’s 2022 Binding Operational Directive (BOD) 23-01.
   • Alignment Goal: Increase Operational Visibility – Each agency should have already established a centralized hardware and software inventory database that uses automated updates; established automated asset discovery scans that occur weekly, or more; and documented asset coverage and capability gaps and strategies to address them.
2. Vulnerability Management – Improving vulnerability management across agencies will provide for fast and efficient mitigation of vulnerabilities and enable a more agile and coordinated response when vulnerabilities are detected.
   • Alignment Goal: Manage the Attack Surface of Internet-Accessible Assets – Agencies should have regularly performed full-credentialed vulnerability scanning across all assets; leveraged internal capabilities, policy directives, and CISA cybersecurity advisories to prioritize and mitigate critical vulnerabilities; and established processes and procedures to identify and remediate vulnerabilities within mandated timeframes.
3. Defensible Architecture – As federal agencies modernize their technology, they must intentionally build a resilient, defensible architecture that is designed with the appropriate controls to limit access to sensitive data or ensure undisrupted operations.
   • Alignment Goal: Secure Cloud Business Applications – Agencies should leverage CISA’s set of security configurations to help protect information stored within these environments;
   • Alignment Goal: Share Cybersecurity Telemetry Data with CISA – Agencies should use methods described in the various TIC 3.0 use cases;
   • Alignment Goal: Enhance Zero Trust (ZT) Capabilities – Agencies should have identified challenges to meeting their ZT implementation plans and developed potential solutions; identified internet-exposed management interfaces and removed the interface from the internet or deployed capabilities that enforce access controls through a Policy Enforcement Point (PEP); and identified, justified and addressed technical, business and process gaps in meeting the phishing-resistant MFA implementation requirement in a plan, documenting tasks and resources required to bridge gaps.
4. Cyber Supply Chain Risk Management (C-SCRM) - Agencies must be aware of the risks and security postures of the numerous third parties with whom they do business, as agencies rely on more external providers and technology.
   • Alignment Goal: Prepare for Rapid Removal of High-Risk Software and Hardware – Agencies should have established supply chain processes that integrate C-SCRM requirements and information sharing; coordinated and developed an agency-wide C-SCRM strategy to make informed risk-based decisions; included appropriate C-SCRM requirements and guidance into procurement/contractual agreements with suppliers; developed supplier requirements to ensure that suppliers address product and service risks; and identified and removed prohibited information and communications technologies or services per federal laws, policies and directives.
5. Incident Detection & Response – Agency Security Operations Centers (SOCs) need to improve their incident detection and response capabilities to gain greater visibility and better detect intrusions and adversarial activities.
   • Alignment Goal: Enable CISA’s Persistent Access Capability – Agencies are to ensure Endpoint Detection and Response (EDR) coverage across the agency and enable CISA’s persistent access capability to facilitate situational awareness and information sharing across the federal enterprise.
   • Alignment Goal: Advance SOC Governance – Agencies should have engaged in cross-agency technical exchanges to share operational challenges, best practices, standards, and acquisitions to improve data quality and relevance; integrated Cyber Threat Intelligence (CTI) tools, data, and services to improve CTI generation, consumption, utilization and sharing; and assessed and compared their “As-Is” status against applicable governance and mandates to identify compliance challenges and issues.

Final Thoughts

CISA’s latest coordination effort by has its roots in the long list of cyber mandates included in the White House’s 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity and other existing federal cyber policies, so that explains why so many of the alignment goals in this plan are stated as things that agencies should have already completed or have in progress. The objective to align agency cyber activities seems both long overdue as well as indicative of the ongoing diverse status quo of agency cyber postures and capabilities, which CISA readily acknowledges.

While there is nothing particularly new in the plan, as far as novel approaches or innovative technologies are concerned, the focus on aligning federal cyber efforts enterprise-wide could have some impact on the competitive landscape for cybersecurity products and services. This means that companies with offerings in this market may face either greater competition or greater opportunities, or both.