Zero Trust Defines Software Supply Chain Security at CFPB, DOE
CFPB and DOE shift their attention to zero trust as they work to eliminate risks and build a higher level of protection around their software supply chains.
Zero trust has become a major focal point for software supply chain security efforts at the Consumer Financial Protection Bureau (CFPB) and the Department of Education since the SolarWinds and Log4j attacks.
Dr. Tiina Rodrigue, CISO with the Office of Technology and Innovation at CFPB, said cybersecurity is a team sport, which is critical from a zero trust and software supply chain management perspective.
“There’s no one team that’s responsible for software, we have software everywhere and the risk itself is dynamic,” Rodrigue said during ATARC’s How to Be Prepared Against Evolving Software Supply Chain Attacks webinar last week. “Security is not a destination, so we have to instill change in the heads, hearts and hands of those who are doing the work.”
Because stolen credentials and user identities are often an entry point for bad cyber actors, CFPB is focused on ensuring its own employees aren’t “the enemy.”
“We need to make sure those opportunities that we identify are prioritized and as we’re doing our sketching and prototyping that security is integrated whether we build it ourselves, get it from open source or if we buy it,” Rodrigue said.
Education Department CISO Steven Hernandez said many agencies are thinking about how to secure the application layer, or Layer 7, of software in the Open Systems Interconnection (OSI) Model. Hernandez believes when you get to the point where zero trust is being enforced, monitored and executed at Layer 7 you can stop caring about Layer 6 and down.
“If we can get our development teams racked and stacked on zero trust a lot of what we’re doing below can be phased out even faster and really at the end we will be talking about applications and software, interfacing with people and services and all of the zero trust options getting brokered at that layer,” Hernandez said during the ATARC webinar.
Many software supply chain risks have been maliciously embedded and can’t detected, so zero trust needs to become the mantra for federal agencies ramping up digital product development.
“We need to recognize that even in our updates and upgrades the security is still critical,” Rodrigue said. “Anywhere you have an input into your system, it doesn’t matter whether it’s a mobile mart or WiFi all of those have to be secured. It’s about zero trust. Always, always, always verify and reauthenticate.”
When looking at software supply chain security, some of CFPB’s best practices include making sure the contracting team is trained in cybersecurity and maintaining transparency throughout the entire software lifecycle.
“There should be early, open and honest communication with the software vendor, if they have a problem, that they don’t try to hide it, is critical,” Rodrigue said. “It’s not when a problem happens anymore, it’s did the problem happen, and when it does, make sure you’re proactive not reactive so that everyone can take the right steps because in the end we just want to stay resilient and strong.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Facing Evolving Cybersecurity Challenges
Hear from federal cybersecurity experts discuss strategies for staying informed about the latest threats, tools and policies.
30m watch -
GSA Taps Dovarius Peoples as Deputy CIO
Peoples previously served as CIO of the U.S. Army Corps of Engineers and oversaw the service's cloud migration and data modernization.
1m read -
DHS Tabs Cyber and AI as Innovation R&D Priorities
The agency’s plan utilizes AI to better address future threats, secure critical infrastructure and improve workforce efficiency.
5m read -
The Opportunities and Challenges of Securing the 2024 Election
The 2024 presidential election is just under 50 days away, and federal agencies are reassuring voters’ concerns about election security.
4m read