Cyber

Google Cloud compliance leader: Biden’s cyber strategy should hold agencies accountable

Jeanette Manfra wants to see agencies held accountable for how they invest taxpayer dollars to meet federal cybersecurity requirements.

By Dave Nyczepir

October 20, 2022

OCT 20, Washington D.C. -- Google Cloud Senior Director of Global Risk and Compliance Jeanette Manfra speaks at CyberTalks, presented by CyberScoop. (Image credit: Pixelme Studio).

The Biden administration’s first national cybersecurity strategy should ensure all federal agencies have the necessary resources for their roles and hold them accountable for their investments, said Google Cloud’s senior director for global risk and compliance.

Speaking at CyberTalks presented by Cyberscoop on Thursday, Jeanette Manfra cautioned against trying to do too much with the document — expected any day now.

National Cyber Director Chris Inglis indicated last week the strategy would go beyond simply relying on market forces and mandate and invest in specific architecture attributes. Increased demands on industry may be met with pushback, but Manfra emphasized government’s part.

“With so many agencies having so many different responsibilities, accountability for the work — that they’re stewards of taxpayer dollars to get that work done — I think that’s also really important,” the former assistant secretary for cybersecurity and communications at the Department of Homeland Security said.

Manfra praised Inglis for “really diving into” zero-trust security following the issuance of the Cyber Executive Order in May 2021 with “pointed” guidance helping agencies prioritize capabilities and justify investments.

Also reassuring was Congress giving the Cybersecurity and Infrastructure Security Agency additional funding to meet its “broad” mission, but lawmakers need to ensure its focus remains on critical functions: securing elections, financial systems and federal systems, as well as providing guidance and capabilities where possible.

Manfra shared her belief compliance can be modernized if vendors begin supplying government with capabilities, like Google’s Assured Workloads, which can be tailored to an agency’s requirements to prevent misconfigurations.

“In the government I used to argue with compliance people a lot,” she said. “You often felt that you were making decisions that sometimes didn’t always have security outcomes that you were looking for and sometimes seemed to be in conflict — not always, but sometimes.”