The release of President Biden’s Executive Order on Improving the Nation’s Cybersecurity signaled the importance of cybersecurity as a critical national security priority. And for good reason. Over the last year, the SolarWinds breach, the Colonial Pipeline ransomware event that led to panic-induced gas shortages on the east coast, and a constant cadence of retailer data breaches have kept cybersecurity issues top of mind for American consumers. But the reality is cybersecurity requires constant attention and evolution, and while this Executive Order is a major step in the right direction, the onus is on companies like GDIT to help put technologies and practices into place that keep our clients’ information, infrastructures, and missions secure.
As we kick off Cybersecurity Awareness Month, we sat down with two leaders within the GDIT Cybersecurity practice – Mike Baker, Chief Information Security Officer and Dr. Matthew McFadden, Vice President, Cyber and Distinguished Cyber Technologist – to get their thoughts on the Executive Order, the latest news on cyber funding, and recent guidance on zero trust from the Office of Management and Budget (OMB) and the Cybersecurity Infrastructure and Security Agency (CISA).
What does the Executive Order mean for government contractors?
Mike Baker: The Cyber EO sets the right tone for federal civilian agencies and those who serve them that sound cyber hygiene and practices are and will be a top priority for our nation moving forward. One of the unifying themes across the order is the standardization of cyber practices across agencies – this includes migration to secure cloud solutions, zero trust adoption, multi-factor authentication use, cyber threat intelligence sharing, endpoint security, logging, and incident response. It is up to government contractors to not only support agencies with this mission but to meet or exceed the requirements within the EO. There is a clear sense of direction and urgency that raises the bar across our entire industry and supplier ecosystem.
Matt McFadden: Government contractors like GDIT must make it easier to effectively implement consistent and mature cybersecurity practices that increase resiliency, as well as leverage advanced capabilities that further protect our federal customers. The EO recognizes the importance of relationships between the public and private sectors to increase collaboration so we can align cybersecurity investments with risks to minimize incidents.
What does it mean for GDIT?
Baker: This EO will be a driving force behind many initiatives for years to come at GDIT as we continue to lean in on the tenants it outlines. Based on our diverse federal customer set, GDIT has been executing many of the processes outlined in the order for some time now. Key among those is our commitment to cyber threat intelligence sharing and reporting. We’ve had a multi-year journey to operationalize and apply cyber threat intelligence, automation, and incident response across our networks. We have significant experience both internally and across our customer base in secure migration to cloud services, zero trust, incident response, and endpoint protection.
This order does come with some challenges – namely the specifics around software supply chain security and its effects on our key software partners. These requirements will change the way we provide solutions to the federal government and the manner in which GDIT and our partners are required to demonstrate secure development practices, source code testing, and delivery of a Software Bill of Materials (SBOM). In addition, the mandate for standard cybersecurity requirements across the entire government will require us to be agile, as we are in our ongoing response to the DoD’s Cybersecurity Maturity Model Certification (CMMC) program.
“The EO will help us drive successful cyber transformation, backed by executive direction, common standards, and budgets. ”
As a Federal Systems Integrator, we have significant insight and experience in cybersecurity modernization across federal networks. We have the unique ability to share those lessons learned and best practices, so we can drive efficiencies and effectiveness as we work with each customer. While the EO is new, GDIT has been at the forefront of many of these critical efforts – like zero trust, secure software supply chain, DevSecOps, and endpoint detection and response (EDR) – in our support of our government customers over the last several years.
What actions are we taking as a result?
Baker: We continue to evaluate the impact and opportunities this order will have on GDIT. We’re accelerating our zero trust journey, while recognizing that zero trust is an evolution rather than a destination.
Using the tenants of zero trust along with our risk management principles to define our capability roadmap over the short, medium, and long term will provide great benefits for our continued defense. We are also laser focused on evolving our Supply Chain Risk Management (SCRM) practices to address risk by actively engaging our supplier ecosystem to discuss the requirements early and often, including GDIT’s expectations around compliance. This includes building secure software development frameworks, secure coding, and a software bill of materials (SBOM) before regulatory action is implemented. All these elements will be critical moving forward in servicing both our company and customers.
McFadden: GDIT continues to expand our capabilities and solutions, focused on modernizing and implementing stronger cybersecurity standards/capabilities. For example, we are using Secure Cloud Services with Cloud-Native cybersecurity capabilities as we bring robust solutions – in conjunction with our best-of-breed partners – to help agencies adopt zero trust architecture across each pillar – Identity, Device, Network, Application/Workload, and Data.
We’re taking this even farther by increasing the adoption of AI/ML to detect threats and increase automation through the adoption of Security Orchestration, Automation, and Response (SOAR). This allows us to create standard automated playbooks that improve detection and response so our customers’ cyber workforce can focus on prioritized events. By adopting zero trust strategies, agencies can increase resiliency to prevent many threats before they happen.
How will the Executive Order impact Supply Chain Risk Management (SCRM) work?
Baker: It will have a large impact in the software procurement realm. GDIT is already implementing lessons learned across industry around the SolarWinds event in late 2020. The EO assists these efforts as it creates a mandate across government and the software supplier ecosystem. It will also lead to a Federal Acquisition Regulation (FAR) update sometime in 2022 that all companies will need to prepare for well in advance.
GDIT does a great job performing cyber risk assessments on all purchases along with assessing cyber hygiene risk across key suppliers and subcontractors on a continuous basis. Our focus moving through the rest of this year is on working with our partners to determine how we can deliver key attributes of a Software Bill of Materials (SBOM) in accordance with the EO. That along with continuing to focus on improved illumination and provenance across our supply chain to deeper tiers will bring us even more assurance around the software and hardware products we leverage internally and/or purchase on behalf of our customers.
McFadden: The EO will require us to have more stringent cybersecurity partnerships that meet increased assurance levels. We are also implementing processes to increase supply chain analysis. For example, we are embracing DevSecOps and validating software continuously before it goes into production, using static and dynamic code analysis, as well as implementing more robust threat detection and continuous compliance.
What does it mean for things like zero trust architectures?
Baker: This order is the exclamation point that makes zero trust architecture the cyber strategy that will carry us into the future, guiding the capabilities, processes, and investments across the entire government. OMB and CISA recently published draft guidance documents that provide roadmaps for agencies to transition to zero trust models over the next three years, as well as securely migrate to cloud services.
For a lot of agencies, the biggest question is “where do we begin?” And the models from OMB and CISA give agencies a really good starting point as they start to think about how to evolve their environments to a zero trust model. These guidelines help set immediate priorities to make positive and substantial change, one step at a time, along a zero trust journey.
“At GDIT, we’re applying these principles to our own network to determine where we can make improvements in the short, medium, and long term.”
We are focused on applying zero trust concepts across users, data, and workloads, as we stand up the needed governance to manage the architecture moving forward. While this will inform our cyber investments in the coming years, we are also in the process of updating our policies and core control requirements across our networks to fully embrace our immediate zero trust objectives.
McFadden: As Mike said, the EO – along with the guidance from OMB and CISA – provide solid support to agencies as they begin their journeys. And it was also great to see that the government is backing up this critical priority with funding – the Technology Modernization Fund (TMF) Board just announced seven new awards totaling $311 million to fund agency investments in zero trust networking and digital identity, secure data and information sharing, and improved interagency collaboration. We are working hard to embrace the Cyber EO and assist agencies with alignment with the goals of the Federal Zero Trust strategy.
As agencies move forward, they must apply a holistic perspective to zero trust; it’s not just about a single pillar implementation, for instance, network segmentation. Zero-trust is a strategy requiring extensive stakeholder participation and business governance for implementation. GDIT has been working with numerous agencies to assist them with their transformation roadmaps to adopt a zero trust architecture. We work with our customers every step of the way, helping them define their protect surface, map transaction flows, identify the highest value implementation assets, and apply the right set of technologies to enable holistic adoption of zero trust.
What about data security and privacy?
Baker: The necessary evolution of data security is well documented in the EO, which requires data categorization for sensitive but unclassified data across all federal government agencies. This reflects some of the progress made over the last few years with the Controlled Unclassified Information (CUI) program that drives our Department of Defense (DOD) CMMC compliance framework. An expansion of the application of this program will also drive needed requirements – namely encryption in transit and at rest for this data, along with mandatory multi-factor authentication.
At GDIT, we have taken a “data first” approach for some time, and we continue to invest heavily in programs to support the continued protection of GDIT and customer data across on premise and cloud platforms. In doing so, we can categorize all data on our network, apply controls where required, and ultimately extend data protection outside our boundary using digital rights management.
McFadden: Zero-trust will help transform and enable data security as you must determine what data you have, where it resides, and where it flows to protect it. GDIT supports our customers in this area by increasing use of cloud services to accelerate zero trust by using secure infrastructure with zero trust capabilities built-in.
What should customers know about the Executive Order?
Baker: Customers should know that the timelines outlined in the EO are extremely ambitious and they should start preparing now. The requirements represent a monumental shift across how government networks are secured, software is procured, and cyber teams operate and collaborate with partners. GDIT has significant experience in many of these areas, and we can share our methods and common pitfalls we have encountered. My advice is to take action now and lean in with companies like GDIT to collaborate and drive to the much-needed outcomes required by the order.
McFadden: GDIT has significant experience working through every aspect of the EO and we increasingly share our experience, knowledge, and lessons learned through our Cyber Center of Excellence to help our customers and partners overcome many common challenges.
We have more than 3,000 cybersecurity professionals, we support cybersecurity across most federal agencies, and we have more than 30 unique cyber alliances, enabling us to apply the most innovative capabilities and offerings to our customers’ biggest challenges – including transforming and enhancing their cybersecurity programs to meet the EO requirements.
Is there anything else you want to add?
Baker: There is more to this order that we didn’t touch on today, such as the formation of a Cyber Safety Review Board and a more detailed dive into potential FAR changes that could affect contracts moving forward. We have yet to see how these mandates could materialize and become operational, but one thing is clear. Sound cyber hygiene and security by design within the software we consume is rightfully a top priority across federal government to protect our nation’s most sensitive data. GDIT looks forward to embracing the changes in our own enterprise, along with helping our customers in the achievement of this critical mission.
McFadden: Meeting the EO requirements is a journey, and no journey is completed instantaneously. It requires hard work, prioritizing resources, establishing baselines, and making incremental improvements over time. Through GDIT’s knowledge, collaboration with various agencies/partners, and implementation of modernized cyber technologies, we know we can help agencies get there faster.