Funding challenges hamper cyber EO compliance, CIOs say

Federal CIOs speaking at an industry conference stressed the need for additional investments to meet the ambitious deadlines and modernization goals of the Biden administration's cybersecurity executive order.

Gundeep Ahluwalia, CIO of the Department of Labor, said that even though the executive order has improved intra-agency collaboration around cybersecurity, his department remained stifled in implementing certain requirements due to a lack of resources.

"In my mind, we have to find some resources internally, ask Congress for appropriated resources, look at the Technology Modernization Fund and maybe certain things can be pulled together," Ahluwalia told ACT-IAC's Imagine Nation ELC 2021 conference on Tuesday. "I think, like most other departments, we have the same conundrum: the resources don't match the velocity needs in the EO."

Analysts and private sector leaders previously expressed concerns about unfunded mandates featured throughout the cyber EO when it was first announced in May. Experts told FCW at the time that the government remained woefully unequipped to overhaul its cybersecurity policies and practices across the board, even with a $750 million reserve for federal IT enhancements featured in the White House's discretionary budget requests for fiscal 2022, due in part to decades of underinvestment in federal IT.

Despite financial challenges, the cyber EO brought a "renewed sense of urgency" on "some of the things that we should be doing anyway," said Gary Washington, CIO at the Department of Agriculture.

"We have people all over the United States, and we have an international presence as well," Washington said while explaining how his agency has sought to implement the executive order. "I've been spending a lot of time with [personnel] educating them on why we need to do these things."

Ann Dunkin, CIO of the Department of Energy (DOE), also said one of the biggest challenges her office faced was figuring out how to implement things like zero trust and multi-factor authentication (MFA) "across a wide variety of environments" without consistent resources and an increased investment from Congress.

DOE has not yet fully implemented MFA, Dunkin said, despite the cyber EO providing a six-month deadline for all agencies to adopt the authentication method, along with encryption of data at rest and in transit. That deadline passed on Monday.

"One reason why MFA is not fully implemented at DOE is we're trying to ensure that our scientific collaborators can get to our systems," she explained, noting how some labs across the country that collaborate with the agency did not have authentication standards which meet the EO requirements. "How do we get there? And also, the elephant in the room for all of us, how do we pay for it?"

Dunkin added: "We want to comply with the EO, but we want to take a risk-based approach to complying with the EO because we know it's going to take us time to get there all the way."

A day before the CIOs gathered to discuss various challenges around implementing the cyber EO, one of the leading federal officials tasked with overseeing the execution of the directive joined the conference to review how agencies and key stakeholders have improved their cyber posture since May.

Steven McAndrews, director of federal civilian cybersecurity for the Office of Management and Budget, said agencies have "come a long way" after the administration established "the policies that are going to get us to the end state that we're looking for."