Executive Summary
The Center for Cybersecurity Policy and Law (“Center”) conducted a multistakeholder tabletop exercise entitled Addressing Concentration Risk in Federal IT on April 11, 2024. The purpose of the exercise was to explore a form of concentration risk (sometimes referred to as information technology monoculture) where a single software, configuration, service, or hardware becomes overwhelmingly dominant in an ecosystem. The exercise explored this issue within the context of federal information technology (IT) while recognizing that the issue is not limited to only government systems.
The outcomes of the exercise supported the following recommendations:
- In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT concentration risk and how organizations can measure the potential risk it creates in the context of their purchasing, operational, and network defense decisions. Results from this work should be made publicly available and considered for inclusion in the Cybersecurity Framework and other cyber risk management guidance published by NIST.
- To better understand the scope and potential risk of IT concentration risk in the U.S. federal government, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) should direct the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Defense (DoD), the General Services Administration (GSA), and other agencies, as appropriate, to ascertain the existence of IT monoculture across all departments and agencies.
- U.S. Congress should investigate and provide oversight on IT concentration risk across federal government departments and agencies.
In addition to leading to the above recommendations, the exercise identified numerous areas for further research and assessment, and it raised a host of questions that the scenario was not designed to answer. It is the Center’s intention that this after-action report will support the above findings, underscore areas in need of further exploration, and spur future discussion of this topic due to its potential for severe negative impacts on the cybersecurity of public and private sector IT networks.
Read Next
Crosswalk Analysis for Artificial Intelligence Frameworks
Organizations worldwide are developing frameworks to ensure that AI systems are safe and secure but there’s a gap in how they are compared. This analysis seeks to understand the commonalities by using the the NIST AI RMF as a baseline.
What is DNS? - A DNS Security Primer
DNS is woven into the fabrics of almost every network, and it’s critical that DNS deployments are done securely and with the most modern best practices, lest attackers compromise this vital component.
CyberNext BRU: Countering the Proliferation of Commercial Spyware
The proliferation of Commercial Cyber Intrusion Capabilities has been challenging with European government officials exploring different policy options. Find out more about this process at the second annual CyberNext BRU conference on 5 March.
