Executive Summary

The Center for Cybersecurity Policy and Law (“Center”) conducted a multistakeholder tabletop exercise entitled Addressing Concentration Risk in Federal IT on April 11, 2024. The purpose of the exercise was to explore a form of concentration risk (sometimes referred to as information technology monoculture) where a single software, configuration, service, or hardware becomes overwhelmingly dominant in an ecosystem. The exercise explored this issue within the context of federal information technology (IT) while recognizing that the issue is not limited to only government systems.

The outcomes of the exercise supported the following recommendations:

  • In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT concentration risk and how organizations can measure the potential risk it creates in the context of their purchasing, operational, and network defense decisions. Results from this work should be made publicly available and considered for inclusion in the Cybersecurity Framework and other cyber risk management guidance published by NIST.
  • To better understand the scope and potential risk of IT concentration risk in the U.S. federal government, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) should direct the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Defense (DoD), the General Services Administration (GSA), and other agencies, as appropriate, to ascertain the existence of IT monoculture across all departments and agencies.
  • U.S. Congress should investigate and provide oversight on IT concentration risk across federal government departments and agencies.

In addition to leading to the above recommendations, the exercise identified numerous areas for further research and assessment, and it raised a host of questions that the scenario was not designed to answer. It is the Center’s intention that this after-action report will support the above findings, underscore areas in need of further exploration, and spur future discussion of this topic due to its potential for severe negative impacts on the cybersecurity of public and private sector IT networks. 

The full report can be downloaded here.

Ari Schwartz, John Banghart & Tim McGiff

Read Next

A Partial Win for AI Red-Teaming from the Copyright Office

The U.S. Copyright Office clarified legal rules for AI trustworthiness research and red-teaming under Section 1201 of the Digital Millennium Copyright Act and AI red-teamers have cause to celebrate, however, there is some not-so-great news too.

Building PQC and Crypto Resiliency Across the Public and Private Sectors

A webinar that featured industry leaders from AT&T, the National Institute of Standards and Technology (NIST), InfoSec Global, The White House, and Venable LLP, focused on cryptographic resilience and post-quantum transition.‍

NTIA Report Reveals Support for Open AI Models

The NTIA released a report examining the risks and benefits of dual-use foundation models with publicly available model weights, also examining the impact of openness on innovation and how to evaluate and quantify risk for these models.