Zero Trust Defines Software Supply Chain Security at CFPB, DOE
CFPB and DOE shift their attention to zero trust as they work to eliminate risks and build a higher level of protection around their software supply chains.
Zero trust has become a major focal point for software supply chain security efforts at the Consumer Financial Protection Bureau (CFPB) and the Department of Education since the SolarWinds and Log4j attacks.
Dr. Tiina Rodrigue, CISO with the Office of Technology and Innovation at CFPB, said cybersecurity is a team sport, which is critical from a zero trust and software supply chain management perspective.
“There’s no one team that’s responsible for software, we have software everywhere and the risk itself is dynamic,” Rodrigue said during ATARC’s How to Be Prepared Against Evolving Software Supply Chain Attacks webinar last week. “Security is not a destination, so we have to instill change in the heads, hearts and hands of those who are doing the work.”
Because stolen credentials and user identities are often an entry point for bad cyber actors, CFPB is focused on ensuring its own employees aren’t “the enemy.”
“We need to make sure those opportunities that we identify are prioritized and as we’re doing our sketching and prototyping that security is integrated whether we build it ourselves, get it from open source or if we buy it,” Rodrigue said.
Education Department CISO Steven Hernandez said many agencies are thinking about how to secure the application layer, or Layer 7, of software in the Open Systems Interconnection (OSI) Model. Hernandez believes when you get to the point where zero trust is being enforced, monitored and executed at Layer 7 you can stop caring about Layer 6 and down.
“If we can get our development teams racked and stacked on zero trust a lot of what we’re doing below can be phased out even faster and really at the end we will be talking about applications and software, interfacing with people and services and all of the zero trust options getting brokered at that layer,” Hernandez said during the ATARC webinar.
Many software supply chain risks have been maliciously embedded and can’t detected, so zero trust needs to become the mantra for federal agencies ramping up digital product development.
“We need to recognize that even in our updates and upgrades the security is still critical,” Rodrigue said. “Anywhere you have an input into your system, it doesn’t matter whether it’s a mobile mart or WiFi all of those have to be secured. It’s about zero trust. Always, always, always verify and reauthenticate.”
When looking at software supply chain security, some of CFPB’s best practices include making sure the contracting team is trained in cybersecurity and maintaining transparency throughout the entire software lifecycle.
“There should be early, open and honest communication with the software vendor, if they have a problem, that they don’t try to hide it, is critical,” Rodrigue said. “It’s not when a problem happens anymore, it’s did the problem happen, and when it does, make sure you’re proactive not reactive so that everyone can take the right steps because in the end we just want to stay resilient and strong.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read