When you’re the newest federal agency on the block like the Cybersecurity and Infrastructure Security Agency, you can’t just have run-of-the-mill technology — especially when your mission is to defend the government’s sprawling IT networks.
Bob Costello is hyper-aware that a big part of his role as CIO of CISA — the Department of Homeland Security agency established in late 2018 as the federal government’s premier cybersecurity function — is providing the most modern technology possible to help attract high-quality cybersecurity professionals who are used to working with the latest and greatest tools in the private sector.
“I need to have the best IT out there,” Costello said Thursday at the Swift Technologies GIST 2022 summit, produced by FedScoop. “Because no one wants to join CISA as a federal employee and [then after joining] I’m like, ‘Well, here’s your underpowered laptop with no analytic tools. And here’s a phone that’s a little more than a phone.’ That’s not a place where people are going to want to work.”
A big element associated with that is enabling CISA to provide the same types of tools to its remote workforce as it does for those working in-office in the Washington, D.C., region.
“As we move into the acceptance of probably not everyone will be in an office building and in the National Capital Region, how do I really ensure that as I’m recruiting from the same pool of candidates as all of you, that when they come to CISA … they have a phenomenal experience?” Costello said.
Costello was excited to share that later this fiscal year, CISA should receive procurement authority at the same level as all other DHS components.
“That’s a game-changer for CISA, you know, to be able to do much more at the agency level than we have been able to before,” Costello said.
While the agency will still work “in strong partnership” with DHS at the headquarters levels, he said, independent procurement authority provides CISA an opportunity to move more rapidly to acquire new capabilities.
Another area in which CISA is working to move quicker is issuing authorities to operate (ATOs). This is providing for a better cyber posture across the agency, he said.
“There’s nothing worse than when you’re trying to deploy your solution and you can’t get an ATO,” he explained. “And by the time we get the ATO, it only shows a point in time. That’s not how we want to be doing things.”
Costello wouldn’t admit how long an ATO took before looking to modernize the process — “some master’s degrees could be completed sooner,” he said — but claimed the agency has done a few that took about 35 days.
“And they’re not weak ATOs,” Costello said. “There’s meaning behind them, there’s continuous evaluation of the programs that are being deployed.”