Extending Federal Cybersecurity to the Endpoint
October 9, 2018
While cybersecurity awareness in the federal government is improving, along with efforts to provide more secure architectures and managed security services for federal networks, these efforts are focused on systemic risks and vulnerabilities in core infrastructures. Few extend to the millions of endpoint devices connected to these systems, many of which have both limited security features and known vulnerabilities that can be exploited to steal data and serve as an entry point for more sophisticated attacks on the network.
The Center for Strategic and International Studies (CSIS) convened a group of experts from the federal government, key government agencies, and private industry to identify a path forward at a time when more secure technologies and services, such as cloud computing, often remain inaccessible due to dated federal system architectures, while the consumer space is flooded with new devices and potential threat vectors. The following report captures the major themes that emerged from the discussion.
- The proliferation of consumer devices in federal networks requires that the federal government move beyond its preferred command and control model for cybersecurity to a more flexible, user- centered architecture.
- The main challenge of improving endpoint procurement on federal networks is one of incentives, not tools. Contracting Officers are not currently incentivized to conduct risk assessments and trade-off analyses in device procurement or to weigh the security of devices against the need for cost-effective and rapid procurement.
- Agencies should utilize integrated product teams, including Chief Information Officers (CIO), Chief Information Security Officers (CISO), and Chief Privacy Officers (CPO), to fill gaps in technical expertise among contracting officers and provide more comprehensive evaluations of security risks and performance in device procurement.
- Agencies should work with vendors to establish demonstrable performance outcomes for devices and work with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) on testing and evaluation.
- Instead of focusing on proprietary standards for government agencies, NIST should work with industry standards bodies to identify existing voluntary standards frameworks that meet the government’s security needs, and on establishing basic security standards for devices that can be adopted directly from the consumer market.
- Reforms must lead to a more holistic view of IT modernization as an iterative process that builds in feedback from industry. Such a framework should set clear expectations for vendors and introduce positive (and non-punitive) incentives that industry can use to better serve the government market.
- In addition to improved procurement practices, strong security at the network layer will be necessary to manage the variety of risks accompanying the growing number of devices that connect to government networks.
IT Modernization and Cybersecurity are Top Priorities for the Administration
Under Executive Order 13800 (EO 13800), the Trump administration has made IT modernization and real- time risk management a priority and is working to enhance accountability for agency CIOs and CISOs while maintaining the flexibility for Contracting Officers to take a risk-based approach to the particular needs of their agencies. Efforts to resource agencies to increase their capacity to improve in areas beyond boundary protection, anti-phishing, and anti-malware are ongoing. The president’s budget request for $15 billion for IT modernization across the agencies represents a 14 percent increase to help secure the .gov domain. Adequate resourcing will be a challenge, but efforts from this administration signal to agencies that they can and should be more ambitious with their efforts to drive improved security. The traditional procurement model has rewarded poor performers and the risk-averse, as outlined in the president’s latest IT Modernization Report,1 and the administration wants to shift to a model that rewards top performers and removes agencies and executives that cannot perform out of the cybersecurity business.2
Balancing Flexibility and Accountability in Procurement
The key challenge of improving endpoint procurement on federal networks, the roundtable participants agreed, is one of incentives, not tools. Since the introduction of Federal Information Security Management Act (FISMA) in the early 2000s, NIST and the Office of Management and Budget (OMB) have developed a range of tools for Contracting Officers, establishing security standards for devices connected to federal government networks, developing checklists and testing and evaluation guides for device security, and creating risk-based contracting vehicles. The problem is that these tools are not being utilized by Contracting Officers, who default to lowest-price-technically-acceptable (LPTA) contracts with vendors who self-certify that they meet NIST’s minimum standards for device security.
Contracting Officers should not be isolated when developing requirements and evaluating proposals from vendors for IT procurements. They are not currently incentivized to conduct risk assessments and trade- off analyses in device procurement or to weigh the security of devices against the need for cost-effective and rapid procurement. The offices within each agency that are responsible for ensuring appropriate levels of security within IT products and solutions, including the CIO, CISO, and CPOs, should be heavily engaged in the development of the requirements for IT purchases. Additionally, they should be involved in the evaluation of the proposals submitted by vendors so that they can participate in the evaluation of the products and solutions for which they are ultimately responsible. Finding ways to tie the success of Contracting Officers to the success of operators may help strengthen the overall security picture. Utilizing integrated product teams may help fill some of the gaps in expertise and lead to a more comprehensive evaluation of security risks and performance.
To this end, after the roundtable discussion, the federal government scored a big win in a recent decision from the U.S. Court of Federal Claims (COFC).3 That case involved a Social Security Administration (SSA) procurement for printers. The SSA decided that it needed to ensure that the devices were secure, so engaged in an evaluation of supply chain security. The SSA, using tools currently available to all federal agencies, evaluated the supply chain risk posed by one offeror as being too high. The COFC found that the SSA acted reasonably when the SSA determined that the device manufacturer’s close ties to the Chinese government posed too high of a risk for the agency.
Policies and tools must also be put in place for agencies to hold their vendors accountable. Procurement officials have the necessary tools to evaluate the security profiles of vendors through guidance provided by NIST that expands on Federal Acquisition Rules (FAR) security standards.4 These tools are available to component CIOs across federal agencies and departments, but they often fail to implement them and rely on vendor self-certification. One path forward is for agencies to work with vendors to establish demonstrable performance outcomes and work with DHS and NIST on testing and evaluation. Working with industry, the government can also establish a taxonomy for risk evaluation that harmonizes existing guidance from NIST, OMB, and Congress to assist with policy enforcement. Replicating the recall authority of the National Highway Transportation Security Administration could serve as an interesting model for holding manufacturers accountable for failing to meet minimum security standards.
In addition to tools in OMB, congressional leadership and legislative action can give agencies additional tools to improve their security posture. The Internet of Things (IoT) Cybersecurity Act of 2017, for example, seeks to codify minimum security standards for IoT devices, such as the elimination of hard- coded passwords and the ability for vendors to deploy remote patching.5 Putting these basic standards in place would help level the playing field for vendors seeking to do business with the government without creating a burdensome compliance regime that may soon be outpaced by technology. By focusing on what devices can do, not just the devices themselves, this proposal aligns with proposals to move toward user- centered architectures. The bill aims to raise baseline security standards by giving agencies more flexibility in IoT adoption, but the definition of what constitutes an IoT device is hotly contested. Participants suggested that if the bill passes, the government should adopt a phased approach to enforcement rather than ruling out entire classes of devices.
Securing the Broader Ecosystem
On the other hand, the group stressed that the government should focus not just on providing standards and tools to federal Contracting Officers but also on securing the broader consumer technology ecosystem. Rapid changes in the consumer technology landscape have made it difficult for Contracting Officers to understand the cyber risks of the devices they are procuring. Endpoints are no longer just laptops and printers, but smartphones, tablets, wearables, and other customizable smart devices entering the consumer space. Agencies must think about where technology will be in the next five years and partner with industry to address this changing security environment. These efforts must be holistic; agencies must assess what data is being processed at the endpoint as well as in the cloud, work with industry to promote technologies and design standards that meet federal government needs, and implement broader frameworks for identity management and authentication.
The devices procured by federal agencies increasingly come from the consumer channel, and as federal employees bring connected devices to work and connect to government networks from personal devices, they bring the vulnerabilities of those devices with them. Instead of focusing on proprietary standards for government agencies, NIST should move toward working with industry standards bodies to identify existing voluntary standards frameworks that meet the government’s security needs and establish basic security standards for devices that can be adopted for the consumer market. If federal agencies are able to purchase secure devices from the consumer market directly—without needing to vet and modify them independently—it could reduce costs, improve the speed of acquisitions, and provide access to a wider array of vendors.
There are existing models that provide lessons that can be applied to the cybersecurity challenge. The Food and Drug Administration, for example, has a direct channel by which industry partners can feed information into the standards development process. Centers of Excellence are another model well suited to cybersecurity issues. In healthcare, we saw this model yield successful outcomes in addressing the proliferation of IoT devices in hospitals. Whether by creating standards bodies, or partnering with them, these models show that it is possible for the government to improve its overall security.
Making progress will require more than just action by NIST, however. It will demand broad agency participation to develop and maintain an effective strategy for securing IT devices. Moreover, leadership from the highest levels of government must be strong and consistent. Further, policies must consider not just how devices are built, but the environments that they will be operating in. For these collaborative models to succeed across all sectors, agencies cannot mandate that vendors just build new things for federal clients; agencies must make existing technologies secure and usable while understanding how other things compete with business interests.
The purchasing power of the federal government relative to commercial markets has diminished in recent decades, making flexibility and communication with the private sector essential as vendors come to view the commercial market as a larger potential growth area. The U.S. government risks lagging further behind in its technical capability as long as large vendors are not given a clear set of expectations. Similarly, opening the space for smaller companies and start-ups to provide novel technologies and solutions will be
essential for the government to play catch-up and fill existing gaps. These reforms must lead to a more holistic view of IT modernization as an iterative process that builds in feedback from industry to reform existing government processes and looks beyond just the procurement of IT and physical systems. Such a framework should introduce positive (and non-punitive) incentives that industry can use to better serve the government market.
Procurement is a critical component of the larger challenge of rethinking federal government cybersecurity. At the federal level, security is traditionally viewed as a problem that is solved from headquarters looking outwards with the goal of securing a fixed network and perimeter. In today’s changing IT environment, that is no longer sufficient. The proliferation of consumer devices requires that the federal government to move beyond its preferred command and control model for cybersecurity to a more flexible, user-centered architecture. Existing resources for agencies, such as The Continuous Diagnostics and Mitigation (CDM) and EINSTEIN Programs at DHS, need to be updated so that agencies are working on understanding new threats and inputs into their networks.
Thinking of procurement in a vacuum also puts agencies at risk of becoming wedded to an outdated compliance-based model. Even with reforms, it does not matter how comprehensive a new procurement model is if it is not equally flexible. Designing tools and implementing processes tailored exclusively to the vulnerabilities of today is not the right approach. As one participant pointed out, no matter how strong security assessments and procurement practices are in advance, new critical vulnerabilities will inevitably be discovered over the life cycle of devices, and strong security at the network layer will be necessary to manage the variety of risks accompanying the growing number of devices that connect to government networks.
Government agencies should assess which classes of devices are “mission critical” and need to be connected to federal networks. Ruling out certain classes of devices and moving toward a zero-trust approach to authenticating devices can help component CIOs combat the challenge of limited network visibility. Ultimately, the goal should be to secure the larger federal enterprise and understand how data flows and is integrated across data centers and within networks. While there is a broad range of attack vectors, there are many potential policy enforcement points to make obtaining unauthorized access more difficult.
William A. Carter is a fellow and deputy director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.
This report is produced by the Center for Strategic and International Studies (CSIS), a private, tax- exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2018 by the Center for Strategic and International Studies. All rights reserved.
1 The Director of the American Technology Council, Report to the President on Federal IT Modernization, 2017,
2 The White House, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure,” May 11, 2017, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengtheningcybersecurity-
3Iron Bow Techs. LLC v. United States, Fed. Cir., No. 18-1703 (2018), https://ecf.cofc.uscourts.gov/cgibin/
4NIST guidance includes:
- NIST Special Publication SP 800-171 on “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” June 2015;
- NIST Special Publication SP 800-147 “Basic Input/Output System (BIOS) Protection Guidelines,” April 2011; and
- NIST Handbook 162, "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements,” November 2017.
Resiliency Guidelines,” which was released in early May 2018 to guide procurement strategies and priorities for future systems. NIST
guidelines including SP 800-147 have been adopted as procurement criteria by government agencies including the DoD CIO, and by
private sector organizations like Microsoft.
5 S 1691, 115th Cong., 1st sess. (2017), https://www.congress.gov/bill/115th-congress/senate-bill/1691/text.