The federal government must prioritize mitigating risks posed by legacy network components and replace end-of-life products in the systems of federal agencies and critical infrastructure, according to CISA cyber leader Eric Goldstein.
“The legacy end-of-life challenge within government is historic, and the level of recapitalization [and] tech modernization required to deprecate and modernize the breadth of end-of-life assets being used across 102 federal civilian agencies is extraordinary,” Goldstein said at a Tuesday event held by the Network Resilience Coalition.
NRC is an industry-led working group that aims to boost the security, safety and resilience of network infrastructure.
The coalition was launched in July 2023 by Venable’s Center for Cybersecurity Policy and Law and includes industry voices from AT&T, Broadcom, BT Group, Cisco Systems, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware.
NRC launched its first white paper at the Tuesday event, with a focus on how vendors and users can better address product end-of-life concerns.
At the event, Lumen’s Kathryn Condello spoke on an industry panel that also included Cisco’s Eric Wenger and Fortinet’s Carl Windsor.
Condello identified the federal government as a particularly large network solutions customer, explaining, “Government itself needs to think about ... [how to] update, upgrade, [and] change their bespoke environments to something that is more sustainable, upgradeable, reconfigurable or patchable.”
Goldstein, who serves as CISA’s executive assistant director for cybersecurity, said the federal government will need to collaborate with vendors to create strategies that can “reduce the risk posed by end-of-life and end-of-support products.”
Government cyber leaders need to gain an understanding of the “real-world constraints that are limiting modernization and upgrades” and create ways to “drive adoption of the right sets of controls and protections around end-of-life assets to minimize the risk posed by exploitation,” according to Goldstein.
Goldstein explained the government will also need to work with the private sector on identifying sources of funding to help “target rich, resource poor” organizations in the sectors of health care, water and K-12 education.
These sources of funding could come in the form of grants, discounts and subsidies from both the government and the private sector, Goldstein said, emphasizing the need to “think creatively.”
CISA is also participating in OASIS Open’s EoX working group, to develop standards for end-of-life and end-of-support information, Goldstein said.
The EoX initiative was announced in fall 2023 to address “the lack of a standardized method to programmatically ascertain the EOL/EOS status (i.e., EoX) of products,” according to OASIS Open.
Goldstein said, “We are really eager at CISA to be part of the Oasis working group that is driving adoption of the EoX standard, which would help organizations at least illuminate the breadth of end-of-life risks across their organizations.”
However, Goldstein emphasized that illuminating risks is “only a start,” noting the federal government and network solutions vendors will still need take on efforts to identify ways to prioritize different end-of-life risks “based upon blast radius” and address broader constraints that are limiting modernization efforts. -- Jacob Livesay (jlivesay@iwpnews.com)