There weren’t many elements of the White House’s executive order on improving the nation’s cybersecurity that Paul Blahusch, Department of Labor’s chief information security officer, hadn’t already been working on or at least thinking about when that policy dropped in May 2021.
But getting some of those cybersecurity priorities over the finish line in the ensuing two-plus years would require additional funding that DOL has yet to see. Speaking during a panel discussion at last week’s CyberTalks, Blahusch said it was “somewhat disappointing” that the agency “didn’t seem to get the traction in appropriations” that he envisioned.
Blahusch said the Office of Management and Budget was “very helpful and supportive of us putting in our budget requests,” but tough decisions were made when it came to prioritizing the executive order’s callouts.
“One thing that we saw was potentially going to cost us quite a bit of money was the enhanced logging, of being able to … collect and store all that data that was asked for by the executive order and the companion OMB guidance,” Blahusch said. “And it’s been tough because we haven’t gotten any additional appropriations.”
Per executive order 14028, the OMB director and the Commerce and Homeland Security secretaries were charged with formulating policies for agencies to “establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency.”
Logs were to be “protected by cryptographic methods” and “periodically verified against the hashes throughout their retention.” Data retention was to be aligned with corresponding privacy laws and regulations.
Though Blahusch hasn’t had access to the type of budget he envisioned following the EO’s issuance, he said it’s been “a nice challenge to be able to determine how to do these things with either resources that we have or resources that we need to pull together.”
Zero-trust architecture, for example, was something that the DOL “brought more to the front burner” following the executive order, Blahusch said.
Cherilyn Pascoe, director of NIST’s National Cybersecurity Center of Excellence, meanwhile, said during Thursday’s panel that her department has also focused on zero trust in the wake of EO 14028, in addition to updating the standards and guidelines for the development and use of secure software.
“We’re working in collaboration with industry, with other government agencies and with academia” on various modernization efforts, Pascoe said. And the NCCoE is “making sure that we have foresight into future issues several years down the road so that when we’re ready to kind of set policy and standards, we have this kind of underpinning of R&D.”
From Blahusch’s perspective, even though the appropriations process fell short of what he fought for, EO 14028 has been an unmitigated win for his work at the DOL.
“I do think the executive order was great to sort of get that entire federal community on the same page,” Blahusch said. “Pushing in the same direction, [getting] some economies of scale going, working with [the Cybersecurity Infrastructure Security Agency] on common solutions, [and] working with OMB on common ways to measure the progress.”