Agency lists of ‘bad guys’ should evolve to address more sophisticated cyber threats, GSA official says

Ann Lewis, director of Technology Transformation Services, highlighted updating agency guidance on potential threats as a best practice that “doesn’t get enough air time.”
TTS Director Ann Lewis holds a microphone and sits in a white chair on stage at Scoop News group's CyberTalks in Washington. She is joined by GDIT's vice president of cyber, Matthew Mcfadden, and Scoop News Group's senior vice president of content strategy, Wyatt Kash, who are also seated.
Director of the General Services Administration's Technology Transformation Services Ann Lewis speaks on a panel titled "Protecting Consumers in the Digital Age: Government's Role" at CyberTalks 2023 in Washington. (Photo by EPNAC)

Evolving from a “list of bad guys” approach to cybersecurity to one that takes into account more sophisticated threats is a best practice that Ann Lewis, director of the General Services Administration’s Technology Transformation Services, said “doesn’t get enough air time.”

Lewis, speaking on a panel at Scoop News Group’s CyberTalks event Thursday, said “the way in which agencies make risk-based decisions has a significant impact on how cybersecurity work can be done.” 

Specifically, she pointed to the tendency among agencies to approach risk and security by making and updating a list of “bad guys” and thinking that as long as the list is checked when allowing access to a system, it’s safe.

“Obviously we know this is not how threat analysis works,” Lewis said. “And to be effective in an ever-evolving landscape, especially as AI-based tools help our attackers develop more sophisticated ways of breaking in, we need to think about … how to evolve from a list of bad guys to, this is an ongoing threat landscape, it’s going to be constantly changing, and we need to invest in it at all levels.”


Lewis said it could be an opportunity for decision-makers and cyber professionals at agencies to work more closely with their legal offices on adapting guidance. 

The default way of making decisions in government involves looking at the rules and what agencies can and can’t do, and turning that into a risk-based decision framework, Lewis said. But that doesn’t set agencies up for success “when we think about cybersecurity preparedness overall,” she said.

Improving cybersecurity has been a priority for the Biden administration. A 2021 executive order outlined specific steps agencies were to take to improve security and the March 2023 release of a national cybersecurity strategy built upon the order. Earlier on Thursday, the Office of Management and Budget’s Chris DeRusha teased a follow-up to that implementation plan.

Lewis also noted that what services agencies choose to use can impact cybersecurity.

The way funding and decision-making are distributed across government unintentionally creates silos, she said, which leads to “a lot of little one-off implementations that perhaps should be using common solutions, shared services, off-the-shelf tools.”


One example of that is authentication tools, she said. “Every single agency has hundreds and hundreds of custom authentication implementations and nobody should be writing that code in this day and age.”

Lewis pointed to, which was developed by the GSA’s 18F and U.S. Digital Service, as an available service that already has security hardening built into it. 

Implementation of and other shared services can “​​significantly reduce the attack surface area because you have fewer custom one-off implementations that have a tendency to proliferate organically,” she said.

Madison Alder

Written by Madison Alder

Madison Alder is a reporter for FedScoop in Washington, D.C., covering government technology. Her reporting has included tracking government uses of artificial intelligence and monitoring changes in federal contracting. She’s broadly interested in issues involving health, law, and data. Before joining FedScoop, Madison was a reporter at Bloomberg Law where she covered several beats, including the federal judiciary, health policy, and employee benefits. A west-coaster at heart, Madison is originally from Seattle and is a graduate of the Walter Cronkite School of Journalism and Mass Communication at Arizona State University.

Latest Podcasts