Rethinking Cybersecurity Funding: A Call for Change in Zero Trust Implementation
In an era where cyber threats are increasingly sophisticated and pervasive, the U.S. government is under pressure to enhance its cybersecurity posture. A recent discussion at the ATARC Federal Zero Trust Summit highlighted the urgent need for a fundamental shift in how cybersecurity initiatives, particularly zero trust implementation, are funded across federal agencies. This call for change comes from key technology leaders within the State Department and the Cybersecurity and Infrastructure Security Agency (CISA), who argue that the current funding mechanisms are inadequate to meet the demands of modern cybersecurity challenges.
The Need for a New Funding Approach
Donald Bauer, the Chief Technology Officer at the State Department’s Office of Technology Services, emphasized the necessity for a "fundamental change" in the government’s approach to funding cybersecurity efforts. He proposed the creation of a dedicated funding lane for cybersecurity, akin to existing modernization funds. This suggestion stems from the realization that the current bifurcation of funding—where agencies have separate budgets for modernization and cybersecurity—creates significant challenges. Bauer noted that 25% of his team’s budget is allocated to cybersecurity, primarily for remediation efforts, while modernization funds have faced a staggering 28% cut.
“The squeeze is on, but there’s no relief in sight,” Bauer lamented, highlighting the pressing need for a more sustainable funding model that can adequately support both modernization and cybersecurity initiatives.
Leveraging the Technology Modernization Fund
One potential avenue for relief is the Technology Modernization Fund (TMF), which aims to assist agencies in funding technology transformation projects. Shelly Hartsook, Deputy Associate Director of Capacity Building at CISA, pointed out that the TMF, along with the Continuous Diagnostics and Mitigation (CDM) program, could provide essential support for agencies striving to enhance their cybersecurity frameworks. The CDM program offers a suite of cybersecurity tools and integration services, although Hartsook acknowledged that it may not cover every tool an agency might desire.
Hartsook articulated a vision for the future where agencies can make incremental investments in cybersecurity based on their budget situations, working collaboratively with programs like CDM to build a cohesive cyber stack rather than a disjointed set of tools. She reiterated the importance of zero trust proposals in the TMF, suggesting that even agencies facing budget constraints could find opportunities for funding through this vehicle.
The Challenges of Competing for Funds
Despite the potential benefits of the TMF, Bauer expressed frustration with the competitive nature of securing funding through this mechanism. He described a "huge disconnect" in his interactions with the Office of Management and Budget regarding funding issues. The process of applying for TMF funding is not straightforward; it requires agencies to compete for resources, often borrowing against future budgets. Bauer articulated a desire for a more straightforward approach, where Congress could allocate specific funds for cybersecurity initiatives, allowing agencies to demonstrate accountability for their expenditures.
“I feel like that’s the disservice that I felt, like I’ve gotten when I see an executive order come over [that] says I have to comply and there’s not enough funding for it,” Bauer stated, underscoring the disconnect between policy mandates and available resources.
Navigating the Broader Landscape of Technology
Bauer’s concerns extend beyond zero trust implementation. He also highlighted the complexities introduced by the White House’s artificial intelligence executive order, which has led to an influx of requests for data handling and analysis. This influx presents additional challenges for agencies that must ensure compliance and security while navigating the rapidly evolving landscape of technology.
Moreover, Bauer acknowledged the difficulties associated with unwinding legacy technology. He candidly admitted that his organization operates with "plain old vanilla … servers," emphasizing the need for stability over cutting-edge solutions. However, he also noted that the State Department is actively working on developing its own software and is preparing to implement dynamic scanning using artificial intelligence to enhance its security posture.
A Holistic Approach to Cybersecurity
Bauer’s strategy involves fostering a culture of security awareness across the organization. By running scans that identify vulnerabilities, his team encourages developers—regardless of whether they own the code in question—to examine their own software for similar vulnerabilities. This collaborative approach aims to elevate the overall security posture of the organization, ensuring that all teams are engaged in the collective effort to mitigate risks.
Conclusion
As the federal government grapples with the complexities of cybersecurity in an increasingly digital world, the need for a reimagined funding approach has never been more critical. The discussions at the ATARC Federal Zero Trust Summit underscore the importance of aligning funding mechanisms with the urgent demands of cybersecurity initiatives. By establishing dedicated funding lanes and leveraging existing resources like the TMF, agencies can better position themselves to implement robust cybersecurity measures, including zero trust frameworks. Ultimately, a holistic and collaborative approach to cybersecurity funding will be essential in safeguarding the nation’s digital infrastructure against evolving threats.
About the Author
Caroline Nihill is a reporter for FedScoop in Washington, D.C., specializing in federal IT coverage. Her reporting includes tracking artificial intelligence governance and modernization efforts across the federal government. Caroline holds a bachelor’s degree in media and journalism from the University of North Carolina at Chapel Hill.