Military-Based Concepts, Education are Making Agencies Cyber-Safe

Several agencies are aiming to deliver IT and security at speed across their organizations by adopting strategies from the military and revamping cybersecurity training.

Department of Agriculture CISO Venice Goodwine and Department of Energy Principal Deputy CIO Emery Csulak said at an AFCEA virtual event Tuesday that they started modeling similar efforts from the U.S. Air Force and Navy in their future IT strategies and faster authority to operate (ATO) processes.

USDA is undergoing two pilots for developing a software factory, much like what the Air Force has done in recent years. She started pursuing the idea after coming to the agency from the Air Force, where she worked with the service’s Deputy CIO Lauren Knausenberger in figuring out the security processes that go into developing a software factory.

The software factory will lead to a pipeline for continuous integration and continuous delivery (CI/CD) maintained by DevSecOps practices to create internally developed, rapidly deployed secure solutions across USDA’s environment, Goodwine said. Meanwhile, Goodwine is working across her customer base to figure out how to seamlessly integrate her work into the agency’s mission areas.

“Security at speed is really about understanding the needs and the requirements of our agencies and mission areas when it comes to helping them provide the type of services or products that they actually need for their users,” Goodwine said.

The software factory pilots are underway, and while Goodwine couldn’t detail what the pilots are doing at the moment, she shared that they will be ready to stand up in the next few months.

DOE is also borrowing thought leadership from the Navy in its efforts to develop a rapid ATO process. Csulak said that last year the agency launched an enhanced education effort to help authorizing officials make better informed decisions in the ATO process, especially given the nature of its distributed environment.

“We looked at our ATO process and recently started piloting our new rapid authorization to operate process … somewhat based on ideas and stuff that we saw at the Navy,” Csulak said.

This new ATO process takes a three-pronged approach. First, DOE assesses whether certain technologies and their ATOs are still relevant. If they aren’t, DOE looks to replace legacy technology with solutions that have more efficient means of authorizing them. Second, DOE is still educating authorizing officials to incorporate new approaches to their work.

“We deployed an enterprise contract for crowdsource penetration testing last year,” Csulak said. “We’ve incorporated that and made it available to anybody at any time that they want to deploy it, and they can use that for better informing their operational risk, rather than their paperwork risk and being able to challenge it. … It’s also bringing in new investments, new technologies.”

Last, DOE is deploying a big data platform with cyber sensor data across the enterprise, both at the perimeter and internally, so that the department can do more advanced work and partner with its labs working on artificial intelligence, software, improved cyber defenses and more.

The education piece Csulak described is also a recent effort the U.S. Patent and Trade Office is pursuing. USPTO CIO Jamie Holcombe said he has revamped cybersecurity training across his agency to create a culture change in personnel approaches to cybersecurity threats amid recent cybersecurity breaches in the government.

“Being paranoid is being strong,” Holcombe said of his approach to security. “If you have that attitude, it’ll be a question of when they breach you, not if they breach you. And so having that attitude also prepares you to have the contingency plans, so one of the things we did, especially with all the recent break-ins and so forth, is retraining the force.”

USPTO usually has PowerPoint-based cybersecurity training. Now the agency created security training videos that users interface with and perform roleplaying to avoid phishing attacks, social engineering and other human errors that lead to cybersecurity breaches. For users who don’t perform well in the training, USPTO is bolstering those respective individuals with remedial training to ensure cyber-secure practices across the agency.

“We really take it upon ourselves to be active and get out there and make sure people understand being cyber safe,” Holcombe added.