The U.S. Department of Agriculture discovered a gap in its cybersecurity operations during the SolarWinds breach, which led it to apply for the $4.4 million it received in May from the federal Technology Modernization Fund, according to its chief information security officer.
Speaking during an ACT-IAC webinar Thursday, USDA CISO Ja’Nelle DeVore said the department wasn’t directly affected by the SolarWinds vulnerability but did experience an ancillary attack prompting it to seek funding for threat monitoring, detection and response capabilities.
The SolarWinds breach compromised nine agencies and left more vulnerable for nine months before it was discovered in December 2020. In its aftermath, USDA realized it needed new software tools to bolster its cyber posture and implement a zero-trust security architecture.
“We identified a gap there, and one of the reasons I understand that we were approved for that funding was because we were specific in: OK, it’s great to reach out and say we need money for a tool, but hey we have a gap in our processes that we don’t have the funding to address,” DeVore said. “So we went ahead and applied for it.”
The project is ongoing, as is USDA’s effort to have its security operations center (SOC) certified and made available to other agencies as a shared service. That SOC-as-a-Service offering remains a few years away, DeVore said.
USDA already had the Department of Homeland Security independently evaluate its SOC and make recommendations to mature it.
“They did give us a really good independent assessment and also a really good roadmap to completing some of the findings and remediating some of those findings,” DeVore said.
USDA is also considering developing a blue team, or a protective cybersecurity team, but it’s “challenging” to have to regularly reprioritize cyber requirements whenever the Cybersecurity and Infrastructure Security Agency issues a new directive or an audit comes out, DeVore said.
USDA stood up an integrated project team (IPT) composed of different mission areas, enterprise architects and cyber staff to manage implementation of the more than 140 requirements in the 2021 Cyber Executive Order and subsequent guidance. The IPT is an agile approach for addressing the five pillars of the Federal Zero-Trust Strategy simultaneously, which USDA intends to complete by 2024, DeVore said.
When the requirement that agencies develop contract language addressing cyber supply chain threats came down, USDA was able to loop its acquisition team into the IPT. The agency developed use cases for different requirements in the executive order.
Aside from its Technology Modernization Fund project, USDA has been able to accomplish this work within its current budget.
“At this point, we haven’t really reached out for a lot of money,” DeVore said. “But I do imagine, as we move down the path for implementing the executive order and zero trust, we will need additional funding.”