5 Takeaways from CyberScape: The Federal Cybersecurity Summit

The administration is reframing federal cybersecurity around deterrence, with a renewed focus on imposing consequences for cybercriminals and the nations that enable them.

White House Deputy Assistant National Cyber Director for Critical Infrastructure Seth McKinnis said his office’s recently released National Cyber Strategy and accompanying executive order mark a shift toward “action-oriented” cyber policy designed to make adversaries “think twice before they target Americans.”

He stressed that timely, actionable intelligence and better coordination across federal, state and private-sector partners are critical during cyber incidents. At the same time, he warned that overly burdensome compliance requirements can hinder response efforts.

Federal agencies are intensifying efforts to secure operational technology (OT) and internet of things (IoT) systems, which have become a prime target for Iranian-affiliated actors, according to a joint advisory released earlier this month.

“Prevention is probably the thing we do best … and recovery is something we really need to put a lot of money and effort behind,” said Carter Farmer, CIO at Environmental Protection Agency.

Limited visibility remains a core challenge. Leaders say agencies cannot secure what they cannot see, particularly across sprawling, interconnected systems. The Navy is addressing this by shifting to a continuous cybersecurity model and deploying a unified enclave architecture across IT, OT and IoT to improve awareness and response, said Shery Thomas, enterprise IT officer at Navy Installations Command.

“I need to know what the heck is going on in all of these systems and networks. I don’t want the adversary to know what I don’t,” he said.

Centers for Medicare and Medicaid Services Acting CISO Keith Busby said federal government is “inherently behind the curve” and needs to “pick up the pace” with AI. Faster development cycles, shrinking from 18 months to about seven, are putting pressure on governance models to keep up, according to Anil Chaudhry, senior advisor for AI at the Transportation Department.

To close that gap, agencies are embedding AI into operations to speed detection and response while maintaining human oversight. CMS is integrating AI into security operations to correlate data, prioritize vulnerabilities and automate assessments.

“Recent changes in the AI industry are going to rapidly throw vulnerabilities at every technical entity,” Busby said, underscoring the urgency to scale both AI adoption and oversight.

As agencies race to adopt AI, Department of Health and Human Services Assistant Inspector General for Cybersecurity and IT Audits Tamara Lilly said leaders must first establish clear governance frameworks.

Compliance is shifting from static policies to real-time enforcement. Lilly urged leaders to move beyond high-level guidance and implement durable frameworks. She emphasized defining clear boundaries around what systems can do, who can access them and how often they operate.

“We’re allowing these systems onto the network … but the swiftness by which they operate is faster than our current traditional controls are effective,” said Lilly.

Federal leaders say securing the supply chain requires a shift to continuous risk management and a “trust and verify” mindset. A key challenge is limited visibility into partners, especially since small businesses make up a large portion of the defense industrial base, said Defense Logistics Agency CIO Adarryl Roberts.

Leaders emphasized moving beyond pre-award checks to ongoing monitoring, with contracts serving as a primary enforcement tool. General Services Administration’s Rosa Underwood said agencies must embed supply chain risk management early in the acquisition process and treat every phase as due diligence.

“We have to get better at it post award,” Roberts echoed.