Increasing Infrastructure and Supply Chain Security at FBI, USCIS, Air Force
Cybersecurity leaders across government point to penetration testing as a solution to identifying many IT vulnerabilities.

Perspectives from federal agencies that secure some of America’s most high-value assets revealed that although agencies may agree on methods or best practices for dealing with cybersecurity threats, their approaches are not all that similar.
The U.S. Citizenship and Immigration Services’ latest modernization effort is bringing software supply chain attacks to the forefront of cybersecurity threats. Software supply chain attacks are an area of concern for the agency, said Adrian Monza, USCIS Cyber Defense Branch chief, as it incorporates open-source technologies and transitions to a digital immigration processing system called “eProcessing.” Monza spoke with other panelists at the GovernmentCIO State of Cyber CXO Tech Forum July 18.
“One of the challenge points, just looking at what’s going on in the larger ecosystem, is the susceptibility of software supply chain attacks,” he said during the panel. “We’ve seen these things occur in a number of different areas, typically more focused on financial type crimes, but I think it’s only a matter of time before someone gets the bright idea and says, ‘hey, you know, this is a great way into government systems as well.’”
According to Monza, in order to better understand your software supply chain it is important to ask, “What modules are our developers using [and] what are those dependencies?”
Senior IT Security Adviser for the Federal Bureau of Investigation Manuel Castillo shifted the conversation on supply chain to include not only hardware and software, but also the services purchased from third-party vendors.
“The way that when the FBI looks at it, you have to manage it,” he said. “It’s a risk.” The FBI has to determine what its risk appetite is, he added.
The U.S. Air Force has its own model with a certified infrastructure and certified process to strengthen security. CISO Wanda Jones-Heath discussed the branch’s Kessel Run project, which uses penetration testing and other innovative tools. It hardens the Air Force infrastructure by means of a “direct process to ensure that you are developing, testing, developing, testing all at the same time,” she said.
The model has been successful so far in “producing a lot of good outputs” and will be implemented in other services, including the Army and Navy. It is also continuously improving, as the Air Force discovered some gaps and vulnerabilities in the model and is in the process of closing them.
Jones-Heath explained much of the Air Force’s success with penetration testing. She referenced Air Force CIO Bill Marion, who found that “the paperwork, when you go through the traditional process of risk management, it’s just not catching all of the vulnerabilities that [they] know are out there.”
Penetration testing has been able to find the bugs and vulnerabilities that slip through the “paperwork-checking” cracks. The Air Force has found offering bug bounties, as part of its Hack the Air Force program, to be particularly helpful.
Monza echoed Jones-Heath regarding penetration testing. “I will tell you that the results that we’ve seen from that have been just illuminating,” he said. “Things that in the paperwork it says … we fixed that, well, maybe we mostly fixed that.”
Penetration testing has given USCIS a better understanding of what it should be focusing on and where the control areas are that have weaknesses, Monza added. His team of penetration testers, or “semi-tame hackers” as he refers to them, has been extremely creative in its methods. The testers have highlighted new ways of getting into a system that the Cyber Defense Branch had never seen before.
Their skills have also been put to the test and utilized in the “internet of things” space as new equipment has been acquired. “A couple of times, we’ve actually identified serious vulnerabilities for the manufacturer, which we then worked with the manufacturer to responsibly disclose to them and retested, and they were resolved,” he said.
Castillo felt that the testing practice is somewhat overhyped and that it is only effective if the vulnerabilities it identifies are subsequently mended.
“One of the issues that I have seen in over 20 years, it’s if you don’t know what you have,” he said. “If you don’t know what you have in the machines, and you’re not patching and fixing [the] vulnerabilities, you’re really not doing a favor to your organization.”
The panel concluded with a brief discussion of risk management. Monza addressed the inherent risk associated with the use of legacy systems.
“Just by moving to a more modern code base, by moving to modern development practices, that inherently is going to help us buy down a lot of risk,” he said. “It’s important to also look at what’s the risk of what you have, not just what’s the risk of what you’re moving to.”
At USCIS, the belief is that a job is not completed until the old system is unplugged.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Modernizing Critical Infrastructure in the Face of Global Threats
Officials are expanding the latest strategies in boosting defense infrastructure, including securing satellite communications, upgrading enterprise-wide technology, optimizing data management.
20m watch -
DOD Accelerates Software Modernization with Agile DevSecOps Push
The Pentagon's software implementation plan tackles cultural hurdles and integrates security early to deliver critical capabilities faster.
6m read -
VA's Platform One Powers Rapid Innovation to Bolster Digital Services
VA's Platform One accelerates software development timelines from weeks to hours, ultimately enhancing digital services for veterans.
5m read -
The Next AI Wave Requires Stronger Cyber Defenses, Data Management
IT officials warn of new vulnerabilities posed by AI as agencies continue to leverage the tech to boost operational efficiency.
5m read -
Federal CIOs Push for ROI-Focused Modernization to Advance Mission Goals
CIOs focus on return on investment, data governance and application modernization to drive mission outcomes as agencies adopt new tech tools.
4m read -
DOD Can No Longer Assume Superiority in Digital Warfare, Officials Warn
The DOD must make concerted efforts to address cyber vulnerabilities to maintain the tactical edge, military leaders said at HammerCon 2025.
4m read -
Tracking CIOs in Trump's Second Term
Stay informed on the latest shifts in federal technology leadership as new CIOs are appointed and President Trump's second term takes shape.
6m read -
Inside Oak Ridge National Lab’s Pioneer Approach to AI
Energy Department’s Oak Ridge National Lab transforms AI vulnerabilities into strategic opportunities for national defense.
22m listen -
AWS Summit: Innovation Accelerates IT Delivery at DOD
Marine Corps Community Services is tackling outdated IT processes with agile development and cutting-edge cloud security to deliver mission-critical capabilities faster.
12m watch -
AWS Summit: NIST Secures High-Performance Computing Against Evolving Threats
NIST’s Yang Guo reveals the broad attack surface of high-performance computing and explains developing guidance and future-proofing security strategies.
9m watch -
Trump Overhauls Federal Cybersecurity with New Executive Order
The new directive aims to strengthen digital defenses while rolling back "burdensome" software requirements and refocusing AI security.
3m read -
AWS Summit: Forging Successful Cloud Modernization Partnerships
Industry leaders share insights on the critical role industry partnerships have in enabling government agencies to navigate procurement challenges for cloud and zero trust solutions.
24m watch Partner Content