Cyber Sprint Now a Cyber Marathon

by Lloyd McCoy Jr., Consultant

As a follow-up to the Cyber Sprint we saw this summer, the federal CIO, Tony Scott, and OMB just announced the Cybersecurity Strategy and Implementation Plan (CSIP) which, like its predecessor, maps out objectives and action plans for agencies — and in this case, the civilian departments — to follow. While the Cyber Sprint is aimed at achieving ‘quick wins,’ the CSIP is focused on raising baseline security practices and policies indefinitely.

The Plan is organized around the following five core objectives:

1. Prioritized Identification and Protection of high-value assets and information;
2. Timely Detection of and Rapid Response to cyber incidents;
3. Rapid Recovery from incidents when they occur and accelerated adoption of lessons learned from the Sprint assessment;
4. Recruitment and Retention of the most highly-qualified cybersecurity workforce talent the federal Government can bring to bear; and
5. Efficient and Effective Acquisition and Deployment of existing and emerging technology

The guidance also calls for accelerated deployment of EINSTEIN 3A by the end of 2015, delivery of an incident response contract vehicle by April 30^th, 2016, and official guidance to agencies recovering from cyber incidents.

Here are some crucial aspects of recent policy changes which could a have far-reaching impact on industry:

Cyber Priorities

The Plan calls for agencies to identify and report their highest-value assets. Those are due in mid-November. We see similar prioritization efforts in DOD with the Navy’s Task Force, Cyber Aware and the Air Force’s Task Force, Cyber Secure. What this strategy does is give clarity to how the federal Government plans to spend the $14 billion designated for cybersecurity in its FY16 Budget Request (true cyber spending is likely much higher since funding is often improperly classified as non-cyber). Industry will want to pay attention to these reports as it will dictate where future agency cybersecurity investments are focused.

Groundwork for Information Sharing Rules

In addition to CSIP, Tony Scott, OMB and others have provided updated guidance on FISMA requirements. Most notably, classifying what constitutes a “Major Incident.” An agency that was victim to a major incident will then need to notify Congress. I recommend reading the definition since it will probably influence the cyber information sharing bills on the Hill right now, particularly defining the information sharing threshold for the government. Incidentally, the White House FY16 budget request included language calling for a single federal threshold for notifying victims of private sector breaches.

Built-In Security Not an Option

Along with the changes to FISMA, OMB is proposing changes to Circular No. A-130. If you haven’t heard of it, that’s okay because many people haven’t. This is the foundational policy document on how government agencies budget, acquire, and manage IT. Circular hasn’t been updated in 15 years and this change will reflect the evolving technological landscape. What stood out was this snippet:

”…systems should employ technologies that can significantly increase the built-in protection capability of those systems and make them inherently less vulnerable.”

We have been saying for a while that government leaders are becoming increasingly vocal against “bolt-on” security. This update to the Circular aims at making cyber resilience mandatory and built into the hardware, middleware, applications, and software.

To find out more about how government agencies are grappling with the challenges posed by cyber threats, register today for the 2^nd Annual Government IT Sales Summit. This information-packed event features three Cybersecurity-related sessions that focus on mobility, analytics, and information sharing. Speakers include Steve Hernandez, the acting CIO of the Inspector General for the Department of Health and Human Services, Rick Walsh, the Army’s lead for commercial mobility, and Bob Flores, former CTO of the CIA.