CISA Lacks Data on Network Segmentation Implementation Among Civilian Agencies

The Cybersecurity and Infrastructure Security Agency does not have data on the percentage of civilian agencies adopting network segmentation strategies, according to acting CISA Director Brandon Wales.

Wales issued the statement in response to an inquiry made by Sen. Ron Wyden about how many agencies are segmenting and segregating internal networks to prevent network intrusion.

Keith Chu, a spokesman for Wyden, called out CISA for merely recommending network segmentation strategies despite having the authority to require agencies to adopt cybersecurity best practices, FCW reported.

He also noted CISA’s failure to collect data from agencies that would reveal how many have followed its voluntary guidance.

Wales said CISA is looking into the possibility of implementing binding operational directives or other authorities to promote security measures. He also admitted that the agency should rethink how it manages the cybersecurity of federal civilian agencies.

In his inquiry, Wyden also pressed Wales about the shortcomings of the EINSTEIN sensor system and why the agency was unable to detect network traffic between agencies that had been compromised by the SolarWinds hack.

According to Wales, a key takeaway from the SolarWinds campaign is that EINSTEIN, which is designed for perimeter security, should be supplemented with capabilities allowing for detection of in-network intrusions.

CISA plans to use the additional $650 million it received as part of the American Rescue Plan Act to speed up its transition from a perimeter defense construct to one that allows for near-real time security detection inside networks.