Cybersecurity in the New DHS IT Strategic Plan

In case you missed it, and do business with the Department of Homeland Security (DHS), the Office of the Chief Information Officer (OCIO) recently released a new information technology strategic plan. The new plan applies to the period from fiscal year 2024 to 2028, and it contains a number of details concerning cybersecurity investment. These start with training the workforce and continue with securing systems and data. Today’s post provides a short summary of what contractors need to know.

Workforce

The DHS, like other federal agencies, is facing a critical skills gap when it coms to hiring employees with experience in cybersecurity. The department is therefore leveraging its recently-deployed Cybersecurity Talent Management System (CTMS) to address the challenge at some components. Launched in November 2021, the CTMS is currently supported by Deloitte Consulting under a $38M task order (70RDAD20FR0000152) that expires at the end of September 2025.

Unified Cybersecurity Maturity Model (UCMM)

One strategy being employed by the OCIO is to continue aligning security practices with the DHS Unified Cybersecurity Maturity Model. The UCMM framework is intended to “align cybersecurity spending and new cybersecurity capability requests to critical cybersecurity domains and current initiatives, further improving alignment between DHS and National Security Strategies.” According to the Government Accountability Office in March 2022, the DHS leveraged the UCMM framework to prioritize updating the Management Directorate’s Plan of Action and Milestones (POA&M). This resulted in the Directorate closing about 64% of it’s overdue POA&Ms. The UCMM framework is now being rolled out across all DHS components, with the implication being that programs currently in flight could see some minor disruptions or changes as they are aligned with the maturity levels of the UCMM.

Securing the IT Supply Chain

Under the SECURE Technology Act, the DHS received new responsibilities for securing commodity IT products in the wake of the SolarWinds hack. The OCIO can therefore remove companies from the Department’s IT supply chains as threats are identified. The OCIO promises to coordinate these types of activities with industry partners “to avoid surprises and unintended consequences.” In addition, the OCIO “will seek to incentivize the right practices in the private sector rather than issue blanket mandates.”

Implementing Zero Trust Architecture

Along with all other federal agencies complying with Executive Order 14028 Improving the Nation’s Cybersecurity, the DHS is building a zero trust architecture. This involves adopting identity and access management capabilities and automated, continuous monitoring. The OCIO intends to “uphold the principles of least privilege and dynamic response … to reduce the attack surface and potential fallout from breaches.”

Working with Industry Partners

The OCIO intends to expand the Hack DHS bug bounty program and vulnerability disclosure policy to benefit from private security researchers and hackers identifying vulnerabilities in its systems. Partnerships with and contributions to the open source software community will also be strengthened to improve collective security. Lastly, the OCIO plans to increase transparency with industry partners to learn and strengthen security practices.