Cyber Sprint Now a Cyber Marathon

CyberMarathon_LMLloyd McCoy Lloyd McCoy Jr., Consultant

As a follow-up to the Cyber Sprint we saw this summer, the federal CIO, Tony Scott, and OMB just announced the Cybersecurity Strategy and Implementation Plan (CSIP) which, like its predecessor, maps out objectives and action plans for agencies — and in this case, the civilian departments — to follow. While the Cyber Sprint is aimed at achieving ‘quick wins,’ the CSIP is focused on raising baseline security practices and policies indefinitely.

The Plan is organized around the following five core objectives:

  1. Prioritized Identification and Protection of high-value assets and information;
  2. Timely Detection of and Rapid Response to cyber incidents;
  3. Rapid Recovery from incidents when they occur and accelerated adoption of lessons learned from the Sprint assessment;
  4. Recruitment and Retention of the most highly-qualified cybersecurity workforce talent the federal Government can bring to bear; and
  5. Efficient and Effective Acquisition and Deployment of existing and emerging technology

The guidance also calls for accelerated deployment of EINSTEIN 3A by the end of 2015, delivery of an incident response contract vehicle by April 30th, 2016, and official guidance to agencies recovering from cyber incidents.

Here are some crucial aspects of recent policy changes which could a have far-reaching impact on industry:

Cyber Priorities

The Plan calls for agencies to identify and report their highest-value assets. Those are due in mid-November. We see similar prioritization efforts in DOD with the Navy’s Task Force, Cyber Aware and the Air Force’s Task Force, Cyber Secure. What this strategy does is give clarity to how the federal Government plans to spend the $14 billion designated for cybersecurity in its FY16 Budget Request (true cyber spending is likely much higher since funding is often improperly classified as non-cyber). Industry will want to pay attention to these reports as it will dictate where future agency cybersecurity investments are focused.

Groundwork for Information Sharing Rules

In addition to CSIP, Tony Scott, OMB and others have provided updated guidance on FISMA requirements. Most notably, classifying what constitutes a “Major Incident.” An agency that was victim to a major incident will then need to notify Congress. I recommend reading the definition since it will probably influence the cyber information sharing bills on the Hill right now, particularly defining the information sharing threshold for the government. Incidentally, the White House FY16 budget request included language calling for a single federal threshold for notifying victims of private sector breaches.

Built-In Security Not an Option

Along with the changes to FISMA, OMB is proposing changes to Circular No. A-130. If you haven’t heard of it, that’s okay because many people haven’t. This is the foundational policy document on how government agencies budget, acquire, and manage IT. Circular hasn’t been updated in 15 years and this change will reflect the evolving technological landscape. What stood out was this snippet:

”…systems should employ technologies that can significantly increase the built-in protection capability of those systems and make them inherently less vulnerable.”

We have been saying for a while that government leaders are becoming increasingly vocal against “bolt-on” security. This update to the Circular aims at making cyber resilience mandatory and built into the hardware, middleware, applications, and software.

To find out more about how government agencies are grappling with the challenges posed by cyber threats, register today for the 2nd Annual Government IT Sales SummitThis information-packed event features three Cybersecurity-related sessions that focus on mobility, analytics, and information sharing. Speakers include Steve Hernandez, the acting CIO of the Inspector General for the Department of Health and Human Services, Rick Walsh, the Army’s lead for commercial mobility, and Bob Flores, former CTO of the CIA.

About Lloyd McCoy Jr.
Lloyd McCoy is the manager of immixGroup’s Market Intelligence organization, leveraging market analysis and purchasing trends to help immixGroup suppliers and partners shorten their sales cycles. He has a M.S. in Strategic Intelligence from the National Intelligence University, a M.A. in Public Policy and a B.A. in Political Science, both from the University of Maryland. Prior to joining immixGroup, Lloyd was a senior analyst in the Intelligence Community for eight years, serving in a variety of senior analytic and project management positions in the U.S. and abroad.

One Response to Cyber Sprint Now a Cyber Marathon

  1. Leecor says:

    Thanks Lloyd./

    Ronald L. Beckwith, MGen, USMC, (Ret.)
    President, LeeCor, Inc.
    4031 University Dr., Ste 200
    Fairfax, VA 22030
    703-277-7721 (O)
    703-927-6397 (C)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: