Agencies Lean on Collaborations to Boost Network Security

Collaboration between federal agencies can lead to significant improvements in their respective network security posture. Cybersecurity leaders from the Centers for Medicare and Medicaid Services (CMS), Consumer Financial Protection Bureau (CFPB) and the Federal Aviation Administration (FAA) said they are all seeing benefits from cross-agency collaboration for enhanced threat detection and response as well as defending against cyberattacks.

CMS, for example, has eight federal trusted data source partners to prepare for open enrollment.

“We’re always working with our partners, we’re even developing a security and private framework to help ease some of the variations and security and privacy requirements so that we could collaborate better and interoperate better with our partners,” said CMS Senior Information Security Advisor Kevin Dorsey during an ATARC webinar. “We need to do more with sharing of ideas, having joint meetings where we share what our new efforts are with each other, we need to have more of that.”

The agency officials said they can cooperate more often, share more lessons learned and discuss approaches to securing critical infrastructure to avoid reinventing the wheel every time a new federal mandate has been issued.

CFPB also collaborates with security teams from other agencies to share ideas, said CISO Tiina Rodrigue.

“If there’s an area we’re proud of, we will host agencies in to see how we do it and share our documentation. If we’re adopting a new technology, we will work with FedRamp to find out who the security engineers are so that we can get their information. And then, if there’s something where we just need additional guidance, we’ll work across with the OMB, CISA and DOJ teams in order to get their lay of the land and to see what landmines, if any, they’ve run into and how we can avoid that,” said Rodrigue.

FAA has an interagency working group with the Defense Department, with one reason being their joint interest in the aviation sector.

“Since DOD has a lot of dependencies on commercial aviation, we created subgroups in those that are cybersecurity-specific. We collaborate on an aviation cybersecurity initiative that’s chaired with DHS and DOD, and we work on different types of activities. For example, we looked at GPS and the impacts of what would happen if there were any kind of compromise like jamming or spoofing,” said FAA Air Traffic Organization Cybersecurity Manager Luci Holemans.

Agencies are also teaming up with the Cybersecurity Infrastructure and Security Agency (CISA) to set government-wide security standards and meet White House cybersecurity directives. FAA is working closely with CISA to be more specific in different types of environments.

“CISA has been testing out our operational environments, but we need more testing of our administrative types of environments just to see what kind of vulnerabilities are there again to try and increase that to the operational side,” Holemans said. “We’re also requiring CISA to have more expertise in terms of the impacts to aviation. If something were to be compromised during one of those tests, we’re trying to better understand what we would consider our high-value assets.”

Rodrigue said collaborating with CISA has helped CFPB gain momentum on its security work.

“By having the Kevlar lists and the multiple areas where they help us ascertain that we are just as secure as we think we are, where we have opportunities for improvement, it really helps communicate not just to the cyber team, but also our broader leadership,” said Rodrigue. “Being able to communicate back to them where things are well-instrumented, where again we could use additional guidance or leverage new approaches. That’s really been the full dynamic for us because we do try to be very collaborative with them.”

The Department of Health and Human Services (HHS) receives initial guidance from CISA and then pushes it down with additional guidance to its subagencies like CMS. Dorsey said he would like to see more being done when it comes to information sharing.

“I’d like to see more from CISA to receive where the pain points are for the specific agencies, guidance that we can then tailor it to meet our needs,” Dorsey said. “I think it would be helpful to understand where agencies are having these pain points because we may find that there are some commonalities that would help and then direct future guidance.”