Cybersecurity has become critically important to every organization across government and industry alike, especially as more and more systems, assets, data and infrastructure move to the cloud or undergo digital transformation.
But cybersecurity is not a fixed concept; instead, as the threat landscape evolves and shifts, so must our country’s cybersecurity approaches, principles and tools in order to protect our most valuable systems and information.
Currently within the U.S. federal government, agencies are shifting away from a compliance-based or “box-checking” cybersecurity model and toward a risk-based strategy.
According to Robert Costello, chief information officer for the Cybersecurity and Infrastructure Security Agency, the change has been challenging, due in part to the unpredictable pace of change in the public sector.
“Sometimes we can move very fast at certain things and slower at other things, and oftentimes we have competing priorities. We may be required by law or regulation to still do those compliance check-the-box things even if we’re trying to take a different approach,” he shared during GovCon Wire’s 2023 Information Security and Innovation Forum.
One essential element in how agencies determine risk and implement new information technology systems is an authorization to operate, better known as an ATO. An ATO gives IT systems approval for deployment within a federal agency based on the perceived risk level at the time of authorization, and then that system is cleared to operate for a set amount of time before renewal is required.
Now, agencies are moving toward a continuous ATO model, in which IT systems undergo continuous monitoring, which informs risk-based decision making and provides a more constant, ongoing authorization process.
Costello has served as CISA CIO for nearly two years, but the agency itself has only existed for just over four years. During his early days in the role and in CISA’s nascence, Costello said a lot of his teams — whether federal or contract partners — didn’t have the right understanding of what ongoing authorization and continuous ATO really meant.
Beyond that, IT systems approved by the traditional ATO process were maintained with varying degrees of attention — according to Costello, some systems were continuously maintained, while others only received concentrated attention when their ATO was nearing its renewal.
From Costello’s perspective, the solution to faster continuous ATO deployment lies in the proper tools, training and culture.
“On my side, it was training. It was making sure that our contract partners had the right statements of work or our statements of objectives in their contracts to make sure they were working with us for the goals we had in mind. It was a changing of the mindset in how we’re going to take this risk-based approach to things,” Costello said.
Another challenge Costello has noticed is a lack of IT funding for agencies.
“Many CIOs in government are not particularly funded to do innovation or development of next-generation solutions. Often, we’re funded at the O&M level to kind of keep the lights on, and we find ways to do other things within our budgets.”
However, more robust communication with industry partners can alleviate some of these challenges simply by shedding more light on them.
Sometimes, Costello said, the solution is “just sitting down, having good open discussions with your customers, telling them what you need from them. And sometimes, that’s changing how they’re doing their design or how they’re funding things up on their side.”
Beyond these changes and challenges, Costello is focusing on achieving more internal alignment within CISA as the agency matures.
“One of my other key challenges here at CISA is we’re a relatively new agency… and we have typical growing pains of a new organization. We’re still kind of coalescing around some of our internal IT strategies, and that can be hard,” Costello explained. “So agency unification is one of our priorities.”
Join GovCon Wire’s next virtual session, the 3rd Annual IC Acquisition and Technology Innovation Forum on March 9. Click here to register.