‘Zero trust’ architecture and secure supply chains to the fore in new strategy
The US Department of Justice (DoJ) has set out a three-year strategic plan to bolster its cybersecurity posture among other priorities for improving its IT skills, systems, and processes.
Other overarching objectives set out in the Information Technology Strategic Plan for Fiscal Years 2022-2024 center on enhancing service delivery, embracing innovation, expanding the workforce, and increasing financial transparency.
The DoJ says the strategy was made in response to increasingly sophisticated cyber threats posed by foreign intelligence services, criminal groups, hacktivists, and insider threats.
Other cited influences were changing user expectations, growing technology complexity, a need to optimize resources, and the pandemic-fuelled demand for distributed workforce operating models.
Securing the supply chain
The cybersecurity strategy is made up from four strands, including proactively managing IT supply chain risk throughout the IT lifecycle via two key initiatives.
The first initiative, said the agency, involves developing “a thorough, comprehensive, and continuous understanding of its vendors and the software and hardware being used across the Department” – in particular for the “most mission-critical supply chains”.
This will help the DoJ “comply with the federal government-wide initiative to require a Software Bill of Materials (SBOM)”, which provides visibility of components used in software and the vulnerabilities lurking therein.
Armed with an SBOM, the agency can then “develop an enterprise-wide view to monitor IT supply chain risk” by “leveraging existing tools like SPDR [Security Posture Dashboard] and creating new ones, where needed”.
Existing processes for IT Investment and Acquisition Review (ITAR), meanwhile, will be modified “to ensure we can identify IT procurements with elevated supply chain risk early in the acquisition process”.
Don’t trust, verify
The DoJ will also reinforce its ‘cybersecurity foundation’ by enhancing asset inventory management, modernizing monitoring and management of internet traffic, and focusing “more heavily on the continuous assessment of public-facing applications and systems for exploitable vulnerabilities”.
A third pillar of the strategy focuses on adopting zero trust principles and tools to combat access-based threats.
Doing so “removes the concept of implicit trust and instead requires a contextual approach that includes the application, user, and device to allow for access decisions to adjust based on the context of the user”, explained the DoJ.
Among other things, the agency plans to reduce more than 20 current ‘identity providers’ (IdPs) to a single provider in order to promote consistent security standards and reduce the administrative burden.
The final infosec pillar focuses on enhancing cloud security to support the DoJ’s growing adoption of cloud-based technolgies. This will involve centralizing and streamlining cloud monitoring to drive analytics for identifying and managing cybersecurity risks and implementing an SPDR.
The DoJ says its IT vision has been aligned to priorities set out in the President Biden’s Management Agenda and cybersecurity-oriented Executive Order signed last year, as well as its own Comprehensive Cyber Review.
“Cyber-attacks are constantly challenging DoJ and other agencies,” says Melinda Rogers, the DoJ’s chief information officer and deputy assistant attorney general.
“Therefore, we will continue to diligently protect the agency’s critical data through increased cyber resilience and risk reduction while optimizing data utilization to create consumable and intelligent products.”
The DoJ’s strategy comes as fellow US government agencies the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned that “publicly known” but often unpatched vulnerabilities – as opposed to previously unknown (zero-day) flaws – are increasingly prioritized targets for Chinese threat actors.