by Federal Civilian director of plan Matthew Shallbetter at Armis
Both houses of Congress are proposing legislation that aims to integrate security laws across the federal government in light of the plethora of directives and guidance issued by state security monitoring bodies.
The Streamlining Federal Cybersecurity Regulations Act was approved by the Senate Homeland Security and Governmental Affairs Committee in July 2024 with bipartisan support, but it stalled before complete Senate approval. In a recent speech, retiring National Cyber Director Harry Coker urged the incoming administration and Congress to remain pushing for the harmonization of national security regulations.
While consolidated security oversight is important and frequently affects crucial issues, the number of directives and alerts issued may unintentionally lead to the shift of the focus away from the fundamental day-to-day tasks that may seem unimportant but are still necessary to accomplish agency objectives.
In order to address this situation, oversight agencies must reaffirm their commitment to working with organizations like the National Institute of Standards and Technology ( NIS), the Office of Management and Budget ( OMB), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency ( CISA ).
This “all-hands” approach to security may include contributions from all levels of government and stress cross-agency collaboration. It’s crucial to successfully break down the work.
Oversight organizations can begin by shifting the focus of the cybersecurity guidance and direction they give to federal agencies so that it concentrates only on the most pressing issues while completing more general oversight tasks ( or delegating those responsibilities as needed ) themselves. Not every organization needs to request, collect, and audit a software bill of materials ( SBOM). Not every organization has the expertise to determine the dangers of quantum cryptography.
However, CISA cannot guarantee the success of the federal government by itself, and organizations may never hold off until CISA arrives. Agency across the federal government should use the skills and technologies that agencies like CISA offer to advance their security strategies.
For instance, CISA has been making significant efforts to modernize the government’s Continuous Diagnostics and Mitigation ( CDM) plan and make it more appropriate in light of the zero-trust solutions and risk reduction initiatives that federal agencies are putting in place. With more efficient operating tools, stronger and more powerful data, and simpler, real-time risk analysis, CISA is moving forward with CDM solutions. Organizations have the opportunity to incorporate these abilities to upgrade their own CDM initiatives and make them a key component of their security strategies.
OMB is strengthening this point with its FY25 Federal Information Security Modernization Act ( FISMA ) metrics, which provide agencies with a challenge to report their IT inventories using CDM capabilities like connected TVs, cars, cameras, and speakers, as well as operational technology ( such as building management solutions, air conditioning and heating systems, power grids, medical and lab devices, etc. ). Companies are better positioned to combat the threat posed by rogue devices to their citizens. Providing skills and capabilities that reduce risk is a key goal of funding where it is needed by matching ratings to practical measures.
Companies like NIST and CISA have the resources to address potential risks, despite the fact that businesses are poised to effectively track threats to national state assets and devices. For instance, new agency calls on CISOs to take inventory of any IT techniques or property that might have cryptographic vulnerability. Many organizations are unable to devote resources to the nuts and bolts of cybercrime activities that must be carried out every day because some organizations lack the time, expertise, and resources to employ this .
Assisting a designated supervision agency with in-house security expertise with tasks like quantum algorithm audits would result in greater fast protection by enabling agency personnel to concentrate on the most pressing threats while boosting their capacity for potential threats like quantum computer attacks.
Cybersecurity should be seen as an intrinsic component of running a business, not just for providing services but also for swiftly scaling resources with shared understanding through collaboration with CISA and other agencies. Although it won’t happen overnight, company CISOs you take the initiative to make this a reality during their positions.
Shallbetter formerly held the position of chairman of safety design/innovation at the Department of Health and Human Services.