30-day Cybersecurity Sprint is History – What Now? Part II

by Steve Charles, Co-founder

Last week I went over FY16 spending priorities tied to the federal government’s renewed focus on cybersecurity. I mentioned while the amount available might be less than the amount in the Obama administration’s initial request, the 2016 budget request for cybersecurity is still a vital document to map fulfillment of those priorities to existing, authorized spending lines. I also want to remind you the month of October is not only the start of the new fiscal year, but is National Cybersecurity Awareness Month.

In my last post I also showed you OPM’s top 5 cybersecurity priorities. I think you’ll find them closely aligned with the eight priorities the White House spelled out when it launched its 30-day Sprint.

The White House’s requirements include:

1. Data protection
2. Improved situational awareness
3. Better-trained people
4. Greater user awareness
5. Automating processes
6. Resiliency in attacks
7. Lifecycle security
8. Reducing attack surfaces

I’ve recommended mapping your products and services to these eight priorities. Now the freshly-underlying (and slightly bigger) cybersecurity dollar request ties together into a serious restatement and clarification of an executive branch strategy.

Perhaps not intentionally, the priorities in the 2016 cybersecurity budget request provide sales and marketing message guidance by clearly reiterating the government’s cybersecurity priorities and the general approach agencies will take to secure their networks.

Keep in mind too, the goals of the sprint itself. The 30-day sprint for cybersecurity called for agencies to deploy “indicators” from the DHS’s network scanning and logs, presumably from the output of the Einstein systems. It told them to patch critical vulnerabilities immediately. Notably, this is a prime goal of the Continuous Diagnostics and Mitigation program ⎯ which agencies should have been implementing in the first place.

The Office of Management and Budget (OMB) reported agencies were able to apply strong authentication to 30 percent more people than before. The number of privileged users, subject to strong authentication, increased 40 percent. OMB reported that 13 of the biggest agencies now have strong authentication for 95 percent of privileged users. The Department of Transportation, Veterans Affairs, and The Department of Interior are highlighted in this report. Conspicuously absent from that list are the Department of Defense and DHS. Reiterating the 30-day sprint report, “There’s a long way to go. The next step was to be a comprehensive cyber strategy based on all of this, and now we’re seeing it.”

A coincidence (or perhaps not) the National Institute of Standards and Technology (NIST) issued a new publication calling for more collaboration between industry and government on cybersecurity threat reporting, along with sharing and greater use of agreed-on metrics. Such metrics, NIST authors say, would improve trust in online transactions, mitigate the effects of cybersecurity incidents, and ensure secure interoperability among trade partners. That ties the private sector economy closer to the strategy for the government itself. And for marketers, it means your commercial sector accounts are more powerful references for obtaining federal business and vice versa.

A final note: the 30-day sprint signaled a fresh approach with a greater emphasis on the techniques of agile development such as a greater operations tempo. It was a shrewd choice of words by federal Chief Information Officer, Tony Scott. He invoked the iterative development methodology, in which developers write code in short bursts followed by functionality testing by users, which in turn, leads to requirements of the next sprint.

The government might launch subsequent sprints, but as Doug Maughan of DHS’s Science and Technology noted in a recent interview, the journey to cybersecurity is a marathon.

If you found this blog series helpful, make sure to read my full article, How The OPM Breach Galvanized Cybersecurity, And How You Can Help featured on IT Best of Breed.