Securing Federal Networks: Evolving to an Enterprise Approach
In December 2020, organizations across the world were notified that they were victims of a Russian cyberattack. The Russians had compromised the widely used SolarWinds Orion software platform and infected thousands of clients with a corrupted update. A number of federal civilian executive branch (FCEB) agencies were among the victims.
After action reviews of the incident revealed the hackers had access to victim networks months before they were detected and some of the agencies had seen activity that later proved to be early signs of compromise. Unfortunately, at that time, the U.S. government did not have sufficient visibility or data to correlate seemingly disparate events that had been transpiring across parts of the FCEB for months. Given the nature of the incident—its scope, scale, and the types of networks impacted—things had to change. So, in May of 2021, President Biden signed Executive Order 14028, directing federal agencies to take dramatic steps to improve their cybersecurity postures. It also empowered CISA, as the operational lead for federal cybersecurity, to drive a much-needed, transformative effort.
Enhancing Visibility
Over the past four years, the federal government has significantly expanded its cybersecurity capabilities, and CISA now has greater visibility into and across FCEB agency networks. This includes the deployment of over 920,000 Endpoint Detection and Response (EDR) agents across 51 agencies, enabling analysts to hunt actively for intrusions and evict adversaries before they are able to cause harm. Further, through CISA’s EDR Persistent Access Capability (PAC), we can conduct no-notice, proactive hunts with zero operational impacts to FCEB networks. Put simply, we are now operating as a ‘whole of government’ threat hunting organization.
Through this effort, we can also access both public and classified indicators of compromise (IOCs), which has allowed us to provide better and more proactive threat notifications to federal agencies. Ultimately, the EDR advancements allow CISA and FCEB agencies to move from a fragmented approach to an enterprise strategy, enabling us to rapidly determine risk across the federal enterprise and thus reduce the impact and dwell time of malicious activity.
These efforts are further enhanced by advances in our Continuous Diagnostics and Mitigation (CDM) program. CDM enables unprecedented levels of visibility into FCEB networks, including the types of hardware and software that are running on different networks. The system now collects and centralizes information from the FCEB networks, feeding data into the CDM dashboard, which allows individual FCEB agencies and CISA to share a common operating picture.
To further assist FCEB agencies, we established the Known Exploited Vulnerabilities (KEV) catalog which helps organizations prioritize how they manage vulnerabilities based on those being actively exploited by threat actors. Since FY21, FCEB agencies have remediated an incredible 99% of internet facing KEVs identified by CISA.
Finally, we manage a Vulnerability Disclosure Policy (VDP) Platform that helps agencies streamline day-to-day operations when disclosing and managing cyber vulnerabilities by serving as the primary point of entry for receiving, triaging, and routing vulnerabilities disclosed by public researchers. In FY24 alone, CISA received over 4,000 unique researcher submissions.
Hardening Systems & Providing Guidance
Beyond enhanced visibility, CISA also works with FCEB agencies to enhance their security efforts. Our Protective DNS Service, for instance, prevents government internet traffic from reaching known malicious destinations by using state-of-the-art DNS technologies in combination with CISA’s proprietary and commercial threat intelligence. Since the program started in 2021, Protective DNS has blocked more than 1.86 billion malicious connections.
Additionally, at the beginning of FY24, we launched an all-new infrastructure for the .gov top-level domain. The goal was to both improve the security for those using that domain and encourage more entities to start using it. As of December 2024, there are over 10,000 non-federal .gov domains and 1,474 federal .gov domains.
We also continue to use our operational directives to focus FCEB agencies on addressing the most serious security gaps. As the most recent example, we issued Binding Operational Directive 25-01 in December, requiring FCEB agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to meet CISA’s Secure Cloud Business Applications (SCuBA) configuration baselines.
Finally, we continue to assist FCEB agencies as they migrate to Zero Trust (ZT) architecture. Recent attacks against mobile broadband providers’ infrastructure are a reminder that all aspects of mobile infrastructure are susceptible to malicious activity; indeed, none can be assumed to be inherently trustworthy. We established the Zero Trust Initiative (ZTI) to help agencies prioritize the programs, tools, and capabilities they should consider during their ZT journeys.
Looking Ahead
In September 2024, we released the FCEB Operational Cybersecurity Alignment (FOCAL) Plan. Developed in collaboration with FCEB agencies, the plan provides guidance on standard, essential components of enterprise operational cybersecurity and outlines how we can align collective operational defense capabilities across the federal enterprise.
FCEB security will always be a work in progress – because our adversaries are always changing their tactics. The FOCAL plan demonstrates some targeted areas of improvement where we, as a federal government, can expand and enhance our security in the coming years. While we can expect that sophisticated adversaries will continue to evolve their techniques in attempts to evade detection and inflict more harm, our FCEB partners are now better positioned to take on these challenges. CISA stands ready to continue providing critical support to protect the critical infrastructure of the dot.gov.