As cyber threats intensify, the Cybersecurity and Infrastructure Security Agency (CISA) is pushing to modernize its defenses by overhauling compliance tools and rethinking its authority to operate (ATO) efforts, CISA Chief Information Officer (CIO) Robert (Bob) Costello said on Tuesday.
Costello shared details on those modernization efforts at the FedForward event held in Washington by Cisco and MeriTalk. The CIO explained that CISA’s ATO modernization efforts are “quite forward-leaning for civilian agencies.”
“We are going to be concentrating on risk,” Costello said. “The risk to the data, the risk to reputational harm, and then honestly understanding how our systems operate. So, starting that work early in this fiscal year.”
“That is an area that we’re actually using AI on to start writing some of our SSPs [system security plans], to monitor our control statements, to do automated testing against our systems continuously, which has been really exciting,” he added.
Costello also noted that CISA has modernized its governance, risk, and compliance (GRC) tool, allowing its information security officers (ISOs) to focus on technology as opposed to compliance.
“What we’ve been able to do is integrate within our GRC tool all the telemetry we’re collecting from all of our tooling and actually enable the ISOs to actually see what’s happening in the environment from one single tool, vice having to go out and talk to system owners or look at five different tools to see our vulnerability metrics,” Costello said.
He explained that it’s “not perfect yet,” but CISA is getting to a point where it can automate compliance and take that burden off its employees.
“I really want people doing the true cyber work. So, that’s something that we’re really interested in,” Costello said, adding, “I don’t want [my team] sitting there doing paperwork. I want them doing cyber work. I want them deploying systems for the operational components of CISA, and then also serving as like a shining example of ‘you can do this. You can do hard things.’”
Costello concluded by stressing that cyber defenders should never not do something “because it’s hard.”
“The work we need to do to secure this nation is going to be hard. The threats are increasing every day. We know the increasing threat from China. We want to ensure that we are deploying our resources effectively at CISA,” he said.