Executive Summary

The Center for Cybersecurity Policy and Law (“Center”) conducted a multistakeholder tabletop exercise entitled Addressing Concentration Risk in Federal IT on April 11, 2024. The purpose of the exercise was to explore a form of concentration risk (sometimes referred to as information technology monoculture) where a single software, configuration, service, or hardware becomes overwhelmingly dominant in an ecosystem. The exercise explored this issue within the context of federal information technology (IT) while recognizing that the issue is not limited to only government systems.

The outcomes of the exercise supported the following recommendations:

  • In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT concentration risk and how organizations can measure the potential risk it creates in the context of their purchasing, operational, and network defense decisions. Results from this work should be made publicly available and considered for inclusion in the Cybersecurity Framework and other cyber risk management guidance published by NIST.
  • To better understand the scope and potential risk of IT concentration risk in the U.S. federal government, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) should direct the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Defense (DoD), the General Services Administration (GSA), and other agencies, as appropriate, to ascertain the existence of IT monoculture across all departments and agencies.
  • U.S. Congress should investigate and provide oversight on IT concentration risk across federal government departments and agencies.

In addition to leading to the above recommendations, the exercise identified numerous areas for further research and assessment, and it raised a host of questions that the scenario was not designed to answer. It is the Center’s intention that this after-action report will support the above findings, underscore areas in need of further exploration, and spur future discussion of this topic due to its potential for severe negative impacts on the cybersecurity of public and private sector IT networks. 

The full report can be downloaded here.

Ari Schwartz, John Banghart & Tim McGiff

Read Next

Risks Associated with IT Monoculture Needs Further Examination

IT concentration risk is a relatively new term but due to recent cyberattacks it has been front and center. To examine the issue the Center conducted an exercise to look at the threats of IT concentration risk and offer recommendations.

Breaking the endless loop and reframing the encryption debate

Encryption advocates and law enforcement are stuck in an endless loop when it comes to debating encryption. It's time for industry and law enforcement to sit down, discuss challenges, listen to one another, and work together to create solutions.

Protecting Network Resiliency

Vulnerabilities, flaws, or misconfigurations in the network device ecosystem can have a devastating effect. To prevent this, the Network Resilience Coalition is making recommendations on best practices for both vendors and consumers.