Federal Cyber Leaders Call for Smarter Scaling, Shared Defenses

Top cybersecurity and IT officials said that agencies need better scaling, smarter risk management and stronger interagency collaboration to modernize federal systems and secure the nation’s digital future.

“We’re having conversations with industry partners to define who takes which defensive posture,” Acting Federal CISO Michael Duffy said during the Billington Cybersecurity Summit in Washington, D.C. on Tuesday. “Sequencing matters — build a strong cloud infrastructure, layer in zero trust and plan for future modernization.”

Intelligence Community CIO and former Defense Intelligence Agency CIO Doug Cossa added that the most impactful investments are often the least visible. He said that behind every user-facing application is a complex network and security framework that needs constant maintenance and upgrading. He added that success hinges on aligning investments in enterprise licensing and common services to eliminate inefficiencies and improve operational agility.

“What users want is access to data securely,” Cossa said. “The biggest investments that pay off are in foundational infrastructure—network and platform layers. That’s what fails the most and needs the most maintenance.”

Duffy echoed Cossa’s concerns and emphasized the need for agility in federal cybersecurity processes.

“We know we need to move faster,” Duffy said. “It’s all about knowing your process so well that you can secure systems and data without slowing down.”

Government Accountability Office Managing Director Nick Marinos added that agencies need to focus on data-driven feedback loops to improve user experience and cybersecurity outcomes. Strategic oversight and continuous improvement, he said, are critical in building a resilient agency cybersecurity posture.

“Help desk tickets are the worst way to find out something’s wrong,” he said. “You need to get feedback before modernization efforts roll out.”

Security at Scale

Cossa advocated for enterprise licensing and services of common concern — shared capabilities like identity management and wide-area networks — to reduce duplication and improve efficiency across agencies.

“When we think about identity management, access control, cross domain, even shared desktop environments and wide area networks, we all have those needs in common,” Cossa said. “Rather than developing them uniquely within each agency … [which] leads to extreme inefficiencies.”

Developing Security Across Agencies

Cossa also highlighted the importance of DevOps standardization, minimum control sets for authorization and reciprocity of security evaluations to streamline the Authority to Operate (ATO) process in government. Automation, he said, can help efficiently reduce timelines.

“We’re looking to automate that evaluation as we look into over the next year, kind of like the emissions process for your car, right? You take it, we hook up a sensor,” Cossa said. “It should be the same on the IT side. What we have now is a confusing set of rules and procedures and priorities that need to be followed.”

Duffy pointed to the Federal CISO Council’s work on ATO optimization, including efforts to reduce the time it takes to authorize new technologies.

“Some folks quote 200-plus days to get an ATO through,” he said. “That’s unacceptable.”

Duffy said that the CISO Council is working on knowledge-sharing to buttress cybersecurity in national security and civilian agencies.

“We’re almost solving this problem in separate places,” Duffy said. “Why don’t we share some of these best practices so we as a federal government can address this in a cohesive way and then share reciprocity across so we brought all of these voices to the table at the federal CISO council to have that optimization discussion?”

Duffy said that agencies need to modernize responsibly and shift cybersecurity culture from a reactive, compliance-based approach to a proactive, risk-management model.

“The way that you sequence [modernization] is equally important,” Duffy said. “Building out a strong and secure cloud infrastructure, building zero trust into that. Then working down to make sure that you, for the cost effectiveness side of things, consider all aspects of what it might be able to modernize in future as well.”