Executive Summary

The Center for Cybersecurity Policy and Law (“Center”) conducted a multistakeholder tabletop exercise entitled Addressing Concentration Risk in Federal IT on April 11, 2024. The purpose of the exercise was to explore a form of concentration risk (sometimes referred to as information technology monoculture) where a single software, configuration, service, or hardware becomes overwhelmingly dominant in an ecosystem. The exercise explored this issue within the context of federal information technology (IT) while recognizing that the issue is not limited to only government systems.

The outcomes of the exercise supported the following recommendations:

• In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT concentration risk and how organizations can measure the potential risk it creates in the context of their purchasing, operational, and network defense decisions. Results from this work should be made publicly available and considered for inclusion in the Cybersecurity Framework and other cyber risk management guidance published by NIST.
• To better understand the scope and potential risk of IT concentration risk in the U.S. federal government, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) should direct the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Defense (DoD), the General Services Administration (GSA), and other agencies, as appropriate, to ascertain the existence of IT monoculture across all departments and agencies.
• U.S. Congress should investigate and provide oversight on IT concentration risk across federal government departments and agencies.

In addition to leading to the above recommendations, the exercise identified numerous areas for further research and assessment, and it raised a host of questions that the scenario was not designed to answer. It is the Center’s intention that this after-action report will support the above findings, underscore areas in need of further exploration, and spur future discussion of this topic due to its potential for severe negative impacts on the cybersecurity of public and private sector IT networks. 

The full report can be downloaded here.