Government Technology Insider
  • About
  • State & Local
  • Civilian
  • Defense & IC
SUBSCRIBE
No Result
View All Result
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Beyond Modernization
    • Technology Trends Shaping the Future of Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
Government Technology Insider
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Beyond Modernization
    • Technology Trends Shaping the Future of Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
No Result
View All Result
Government Technology Insider
No Result
View All Result
Home Cybersecurity

FITARA Helps CIOs Wage War on Shadow IT Threats

by Patience Wait
September 30, 2016
in Cybersecurity
Reading Time: 4 mins read
A A
FITARA Helps CIOs Wage War on Shadow IT Threats
Share on FacebookShare on Twitter

One challenge facing federal IT managers in an ever more connected world is finding “shadow IT”, the type of IT an agency CIO or CISO did not purchase or authorize, has been unaware of, yet connects in myriad ways to the networks the official is responsible for.

Until fairly recently, the term referred to devices – desktop computers, laptops, Internet-connected printers and so on. Now, though, the definition has to expand to include things like unauthorized cloud services and any kind of hardware that might have a sensor to connect to the Internet of Things (IoT).

“IT is now enabling not just data and services, but functions from refrigerators to autos to factory floors,” said Eric Goldstein, Senior Counselor to the Under Secretary at the Homeland Security Department. “It’s a new generation of devices that gives adversaries a broader attack fabric and risk of lives.”

Goldstein was a panelist at the MeriTalk Cybersecurity Brainstorm session “Running in the Shadows: Discovering, Managing, and Securing Hidden IT Threats.”

Commerce Department CIO Steve Cooper suggested the concept of shadow IT as it applies to the federal government should be “anything inside our information security boundaries … that doesn’t fall under the direct purview of the CIO.” That could be other programs, corporations, even private citizens that access government data, he said.

“There’s lots and lots of IT out there, purchased by many different components not associated with the CIO’s office,” Peter Fonash, CTO for the DHS Cybersecurity and Communications Office, said. “I think CIOs are trying to rein that in, but they won’t ever be completely successful.” That’s all right, he said; CIOs shouldn’t completely stifle that because they, too, want the innovation coming from new applications.

Cooper credited FITARA (the Federal IT Acquisition Reform Act) with giving him the ability to get a handle on his department’s shadow IT challenge.

“I have [leveraged] my FITARA authority,” he said. “It’s a CIO review, that basically most could think of as similar to the old Fedstat, where [the Office of Management and Budget] would sit down and do a programmatic review. [It’s] intended to be informal, collaborative, collegial. It’s not intended to trip people up … We’re getting started maturing our own internal process, but without FITARA I’m not sure I could have gotten started.”

James Yeager, Tanium’s Federal Director, noted that there’s a “curious paradox with shadow IT – you don’t know what you’re not measuring.  But continuous monitoring is the best countermeasure for CIOs to leverage.”   He continued: “Continuous monitoring helps CIOs and CISOs to better monitor the health and performance of their IT assets, tools which also help them find access points, even IT enclaves, they were not aware of.”

Network access control is another way to identify shadow IT, Cooper added. “That type of approach, leveraging that class of software, is incredibly valuable as we lose the ability as human beings to detect stuff connected to the network. Increasingly, leveraging technology becomes, I’d argue, mission critical.”

Fonash observed that software-defined networks hold potential for great cyber defense, provided you can keep track of the assets, but there are things beyond any CIO’s control, such as one’s supply chain. “Target was compromised by an HVAC service provider,” he pointed out. And the Internet of Things will only add to the complexity.

“IoT isn’t governed by anyone, but there’s no one in charge, no one responsible for security … and that’s going to be connected to your IT environment,” Fonash said.

“I want to get out of the infrastructure business; I don’t want to do that any more. I want to go out into the government community cloud,” Cooper said. “But there’s a question. Am I still going to be held accountable for what happens to ‘my’ infrastructure when it’s out there in the commercial environment? … If something happens, am I going to be the one called up on the Hill to explain? Is it GSA? OMB? Is it the contractors?”

Cooper suggested the NIST framework is going to have to be extended in some kind of collaborative partnership. “I think we are going to need the assistance and guidance of attorneys, both in the government sector and industry, [regarding] who has liability.”

After listening to the commentary from agency CIOs, Yeager added “CIO’s need to focus on the timeliness and speed of their monitoring methodology and capabilities.   If their organization is not leveraging a true real-time approach, where cycle times are measured in seconds/minutes, then they’ve have already lost.  Shadow IT presents bad actors with a window into the organization’s soul and they only need a moment to wreak their havoc.”

 

Tags: CDMCIO CommerceDepartment of Homeland SecurityEric Goldstein DHSFederal CybersecurityFITARAInternet of ThingsIOTIoT SecurityPeter Fonash DHSShadow ITSteve Copper

RELATED POSTS

DHS ECLIPS: Getting Mission IT Out of the Shadows
Cloud

DHS ECLIPS: Getting Mission IT Out of the Shadows

August 17, 2023
Data Virtualization Helps Agencies Overcome the Challenges of the Hybrid Cloud Model
AI & Data

Data Virtualization Helps Agencies Overcome the Challenges of the Hybrid Cloud Model

July 31, 2023
Department of Homeland Security
AI & Data

The Department of Homeland Security and Customs and Border Protection are Transforming the Future of Security with Artificial Intelligence

April 25, 2023

TRENDING NOW

  • Advana

    Meet Advana: How the Department of Defense Solved its Data Interoperability Challenges

    12112 shares
    Share 4845 Tweet 3028
  • Zero Trust Implementation and Success are Just Steps Away for Federal Agencies

    81 shares
    Share 32 Tweet 20
  • The FAA Modernizes Data Management to Accelerate Access and Manage Costs

    50 shares
    Share 20 Tweet 13
  • The Benefits of Automation for Constituent Identity Verification

    15 shares
    Share 6 Tweet 4

CONNECT WITH US

BECOME AN INSIDER

Get Government Technology Insider news and updates in your inbox.

Strategic Communications Group is a digital media company that helps business-to-business marketers drive customer demand through content marketing, content syndication, and lead identification.

Related Communities

Financial Technology Today
Future Healthcare Today
Modern Marketing Today
Retail Technology Insider
Today’s Modern Educator

Quick Links

  • Home
  • About
  • Contact Us

Become a Sponsor

Strategic Communications Group offers analytics, content marketing, and lead identification services. Interested?
Contact us!

© 2023 Strategic Communications Group, Inc.
Privacy Policy      |      Terms of Service

No Result
View All Result
  • Home
  • About Government Technology Insider
  • State & Local
  • Civilian
  • Defense & IC
  • Categories
    • Acquisition
    • AI & Data
    • Customer Experience
    • Cybersecurity
    • Digital Transformation
    • Hybrid Work
    • Public Safety
  • Contact Us