WASHINGTON, D.C. — This week, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, led by Chairman Andrew Garbarino (R-NY), held a hearing to evaluate federal cybersecurity governance and efforts, specifically by the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD). Watch the full hearing here.
 
Witnesses for the hearing included Executive Assistant Director for the Cybersecurity Division at CISA, Eric Goldstein, and the Federal Chief Information Security Officer for the Office of Management and Budget and Deputy National Cyber Director for Federal Cybersecurity at ONCD, Chris DeRusha. Witnesses testified on the current cyber threat landscape, the state of federal cybersecurity partnerships, both within the agency and with the private-sector, and what more can be done to measure security outcomes and identify vulnerabilities in America’s federal cyber infrastructure.

Chairman Garbarino inquired as to the status of CISA’s current federal cybersecurity programs and how the agency measures success:

“How does CISA measure the success of its federal cyber programs, considering it spends almost one-third of its budget on strengthening FCEB networks?”

Mr. Goldstein answered:

“We were really excited, a few months ago, to issue our first ever Cyber Strategic Plan that for the first time actually had measures of effectiveness for security outcomes. And so we are really focused now on measuring very specific security outcomes. For example, the mean time to fix vulnerabilities, how many ‘known exploited vulnerabilities’ are actually present on federal networks, how quickly can we detect intrusions. We are focused on measuring security outcomes that we can show as a result of the investments that we’re making on some of these measures. … We’re making a lot of progress.”

Chairman Garbarino continued:

“Have the results been getting better?”

Mr. Goldstein:

“They have been. I will offer one example. For the ‘known exploited vulnerabilities’ that are visible from the internet across federal networks, we have seen a 79 percent reduction over the past year, based upon our attack service management efforts and driving agencies to adhere to [CISA’s binding operational directive 22-01]. We are seeing major progress in really key areas, but certainly more work to do.”

Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL) asked Mr. Goldstein about the resiliency of America’s critical infrastructure: 
 
“Once a system is cracked and it’s tied to some vital infrastructure, how do we make sure that infrastructure, once we know that that system has been penetrated, that we can somehow decouple that infrastructure so that it continues to work?”
 
Mr. Goldstein replied:
 
“This is foundational to the principles of Zero Trust that my co-witness mentioned. The idea behind Zero Trust is even if an adversary breaks into a system, they shouldn’t be able to achieve an objective that harms the services upon which Americans depend. So, by making sure we understand where the most important data and systems are, that we harden those systems specifically…so they are resilient under all conditions. That is absolute what we are trying to achieve.”

Rep. Laurel Lee (R-FL) detailed the attack surface management program at CISA and asked about its status:
 
“As we’ve discussed today, Congress invested in an attack surface management program at CISA, so that CISA can provide federal and non-federal stakeholders visibility into those vulnerabilities. I’d like to hear an update from you about how that is working. We’re hearing things back, but we’d like to know more about how that’s working and where do you see it going from here. How can we continue to expand that work?”
 
Mr. Goldstein answered:
 
“As you noted, there are going to be really two game-changing advances as we fully deploy our attack service management capability. The first is getting better visibility into the assets across all of the entities whom we want to support, whether federal or non-federal and the second is to increase the number of organizations participating in our visibility programs by several multiples. At this point, over the past year, we’ve done a series of technology evaluations. We have obligated the resources that Congress so helpfully provided, and we are now at the point where we are rolling out this capability with the full rollout to be completed by the end of this calendar year. I will already say that the visibility that we gain from this capability has proven very valuable in many of the recent significant vulnerabilities that we’ve seen reported in the cybersecurity space. Already, our ability to understand prevalence and drive reduction has been absolutely critical. We think this is going to be a tremendous value, both for our federal partners and partners across the country.”

Rep. Mike Ezell (R-MS) asked about the effectiveness and challenges of Executive Order 14028: 
 
“In 2021, the Biden administration released an executive order to improve the nation’s cybersecurity. Since it has been two-and-a-half years since the executive order, I hope that agencies have made progress in implementing the requirements outlined. However, lately, there have been reports that a national security advisor sent a memo to agencies reinforcing the need to follow these requirements. Mr. DeRusha, which requirements of the executive order are agencies finding the hardest to follow, and why is that?”
 
Mr. DeRusha answered:
 
“As you highlight, Executive Order 14028 laid out a bunch of aggressive actions in removing barriers to information sharing [and] modernizing our cybersecurity practice. We talked about Zero Trust improving the software security supply chain. … At times, you could find that it’s a contractor operated system and it’s not in the contract that they have to have [multi-factor authentication], and it’s more expensive and they won’t implement it. You can find workforce and capacity constraints around it – modernization challenges, where the tech needs to be modernized before it can employ modern encryption and authentication. I think those are some of the areas that we’ve been really focused on but have shown where there are lots of gaps and challenges.”