The US Cybersecurity and Infrastructure Security Agency released a plan to align the “collective operational defense capabilities” of federal agencies to reduce their cyber-risk. The plan’s focus is to have more synchronized and robust cyber defenses, improved communications, and better agility and resilience in the federal government.For the most part, federal agencies built out their own defense capabilities based on the threats they are facing. As a result, the agencies vary widely in how effectively they manage risks, and there is no “no cohesive or consistent baseline security posture,” CISA said. This discrepancy means despite investing in cybersecurity, the agencies are still vulnerable to threats.“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” CISA said.In the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, CISA sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement. The plan covers daily activities and processes organizations should be using to defend their data and information systems, and spans five areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident response. It also sets collective security goals for the enterprise and provides a framework for coordinated support and services.It is not intended to provide a comprehensive or exhaustive list of everything that an agency has to accomplish.“The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said in a statement.The essential components of FOCAL are “solid,” says John Vecchi, security strategist at Phosphorus Security. There are “very wide disparities” between agencies from a cyber maturity and culture perspective, but these agencies can achieve a “more consistent cybersecurity posture and baseline security hygiene” if FOCAL’s basics are implemented, Vecchi says.However, accomplish a task of this magnitude can be challenge, Vecchi notes. Agency IT teams still need the staff, knowledge, and skills to actually deploy and implement the technologies and processes. The sheer number of security tools needed to accomplish the various elements in the plan could pose problems for agency security teams. While the focus on patching and vulnerability management is essential, these two areas are difficult to implement at scale.It’s also important to remember that about a third of the assets across these agencies represent smart devices, Internet of Things , operational technology, and embedded devices, Vecchi says. These types of systems are often out of compliance in terms of security hygiene.“Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge,” Vecchi says. “It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks.”