MITRE paper recommends how US Congress can improve federal cybersecurity

MITRE has released a technical paper on how the U.S. Congress can act to improve federal cybersecurity practices and meet advanced threats posed by China, Russia, ransomware gangs, and other nation-state and criminal actors.

The eight recommendations in the paper seek to provide options for Congress that would help improve federal agency cybersecurity while making the oversight process more efficient and effective. It will also work towards improving the federal government’s ability to deploy and maintain secure systems ready for existing threats and increase the effectiveness and efficiency of oversight activities.

Congress has taken many actions to support federal cybersecurity, the authors identified in the paper. “However, cybersecurity is a rapidly evolving field and further action is needed to push federal cybersecurity forward. Congressional action can help ensure that the federal government is positioned to meet current and emerging threats and is managed according to current best practices,” they added.

Operating as a not-for-profit concern, MITRE works in the public interest across federal, state, and local governments, as well as industry and academia. It provides ideas in various areas, including artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.

The paper advocated that federal cybersecurity leadership be provided with more authority, in order to oversee cyber risk management at agencies and departments authority over the executive branch. Cybersecurity should be brought together into a more coordinated team structure with appropriate resources and staff to carry out their duties.

The National Cyber Director’s office and the federal CIO and CISO offices need to be strengthened so that they are more than policy and oversight organizations, with the capacity and authority to play an active role in helping agencies prioritize and measure the progress of their cyber efforts to create greater unity of effort across government, MITRE added.

Organizations can also work towards identifying and modernizing complex legacy IT systems to reduce costs and vulnerability, the paper mentioned. Congress and agencies should identify and modernize mission-critical legacy systems that most contribute to agencies’ maintenance costs and security vulnerabilities. Recent MITRE analysis shows that systems using many programming languages have disproportionately higher maintenance costs and security vulnerabilities.

The MITRE document also supported authorization and funding to create a new and integrated threat-hunting-focused approach to cyber risk management. Existing cyber risk management techniques and tools have evolved over decades in a piecemeal fashion and have typically focused on managing vulnerabilities, while best practice in cybersecurity has shifted toward a threat-hunting focus, yet legacy risk evaluations retain a heavy focus on vulnerability management.

It is time to take a comprehensive view that incorporates threat evaluation, along with human and physical risks, to create an integrated cyber risk management framework that identifies a holistic set of data relevant to measuring and managing cyber risks to organizations, provides analytical approaches to make effective use of this information to understand and score risks, and enables effective discussions among various stakeholders about risks and their mitigation, the paper added.

Congress should support agency implementation of zero trust architecture (ZTA) principles by ensuring that agencies have the resources they need to implement their plans developed under Executive Order (EO) 14028, and by conducting oversight activities to monitor implementation efforts according to administration guidance, the paper advocated. To enable these actions, federal agencies should be tasked with reporting to Congress on their plans for and implementation of the concepts of trustless endpoints.

Many of CISA’s cyber defense systems were designed for an era when most agency systems were operated internally and most network traffic was unencrypted, MITRE said. “In the years since, agencies have conducted extensive migrations of systems to cloud service providers and are beginning to implement ZTA for their networks. CISA has recognized this change and is seeking to update its suite of programs providing security services to federal agencies,” it added.

MITRE also called for mandates of supply chain risk management assessments throughout program lifecycles. The SECURE Technology Act passed in 2018 established the interagency Federal Acquisition Security Council (FASC), which is chaired by the federal CISO. While the FASC has a broad mandate for both cyber and supply chain policy, previously supply chain risk assessments have been rare, and when performed are generally associated with final steps before a high-value acquisition. This approach does not address the ubiquitous, continuously evolving nature of supply chain risk.

Continuous supply chain risk assessment and mitigation have become essential to reduce cybersecurity incidents. The FASC, working with both CISA and NIST, needs to transform supply chain risk assessments so they operate from early-stage requirements definition through the program lifecycle.

MITRE also advised that Congress should update its oversight of agency cybersecurity by using the Federal Information Technology Acquisition Reform Act (FITARA) as a model to replace existing unstructured agency reporting. The FITARA scorecard provides transparency into key measures of agency progress in improving IT management every six months by establishing clear milestones against which all agencies measure and report their progress. Existing cybersecurity reporting requirements result in lengthy narratives subjectively describing agency cybersecurity programs, but not in concise and repeatable measurements of progress on key objectives across agencies.

The paper also proposed that Congress should require that cybersecurity be included as a specific Cross-Agency Priority (CAP) in the President’s Management Agenda to ensure that cybersecurity is a key performance goal for the government each year. In implementing cybersecurity as a CAP, metrics should include measures comparable to how federal and business CISOs measure their organizations’ performance and how cyber insurers evaluate client risk. These metrics can also be adopted in IG and GAO reviews to help ensure consistency across management and audit processes and to streamline the data collection process for agencies.

Last month, MITRE set up the Cyber Infrastructure Protection Innovation Center and Clinical Insights Innovation Cell to strengthen its ability to better focus on cybersecurity threats to critical infrastructure, and on new approaches to public health challenges. The two entities will operate as a part of MITRE Labs.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.