Blockchain is all the rage and now government is interested

Tom O'KeefeblockchainBy Tom O’Keefe, consultant

Everyone’s piling on blockchain as the hip buzzword of the year. Companies that have inserted blockchain in their name have seen their stock prices rise, and simply mentioning that blockchain is part of your technology can be a surefire way to secure investment from venture capital firms.

And now, the federal government is getting in on blockchain, with a recent NIST draft publication highlighting where and when blockchain could be valuable. And federal agencies are paying attention.

Read more of this post

3 opportunities in the president’s budget

Tom O'KeefeBy Tom O’Keefe, consultant

We all know the administration recently released its FY19 budget request. Despite the fact that the president’s budget is effectively dead on arrival, particularly with Congress reaching a budget deal for the remainder of FY18 and FY19, there still may be some worthwhile pieces of information to be gleaned from it. (It should be noted this budget deal does not mean agencies received appropriations, and we’re still operating under a continuing resolution through March 23.)

While the priorities of Congress and the administration won’t always line up, there are places where there may be a general level of agreement on what spending might look like for the next year and a half.

Read more of this post

DOD Makes Life Easier for All by Going to Common Security Standards

Rick Antonucci_65x85By Rick Antonucci, Analyst

In early March DOD CIO Teri Takai announced a DOD Instruction Memo that DIACAP would be replaced with NIST Risk Management Framework (RMF) standards – now, instead of three standards, there is one security standard across the whole federal government. This has been in the pipeline for quite a while, but is just now becoming a reality. Now more vendors can offer solutions as the costs associated with complying with the additional security framework is eliminated. Systems Integrators will also benefit as they will have more options when providing solutions to the government.

Read more of this post

Voluntary Cybersecurity Framework Could Lead to Regulations in the Future

Lloyd McCoy_65x85by Lloyd McCoy Jr., Consultant

The Preliminary Cybersecurity Framework, released for industry feedback in October serves as a preview of the voluntary guidelines and best practices aimed at industry for the purpose of reducing cyber risks to our critical infrastructure (see below). The Framework also focuses on information sharing, between industry and the government. Specifically, the government and private critical infrastructure operators, as well as the technology firms who support them, would share information on cyber breaches and ways to prevent them.  The draft by the National Institute for Standards and Technology (NIST) was put together with industry feedback, but there are lingering concerns that the final version may not be all that voluntary.

Some industry watchers worry that if a technology company disregards the Framework, and there is an intrusion resulting in loss of data or impaired critical infrastructure, then that firm could be vulnerable to lawsuits. The draft Framework does include liability protection but only for those who adopt the Framework – leaving those on the outside more vulnerable particularly if the Framework becomes to the de facto standard.

The Framework also addresses privacy and civil liberty concerns, an issue on a lot of people’s minds nowadays. It calls for minimization of personally identifiable information (PII) as information on cyber breaches is shared with the government. The issue here is that all the scrubbing and anonymizing of data that will be required is costly and time consuming and could prove to be a disincentive.

The White House has gone to great lengths to make the Framework as benign and palatable as possible to industry, but while the Framework is not mandatory, there is concern it could pave the way for regulations and legislation in the future. The Executive Order from which the Framework is derived, for example, requires federal agencies to state whether they have authority to establish requirements based on the Framework…should they need to.  Also, the word “should” was dropped from certain sections featuring recommendations for industry. The change was intended to make the language less forceful but now reads as if industry is being commanded.

Any concerns or recommendations can be conveyed to the government during a 45-day comment period which ends December 13, 2013. It is open to all industry, particularly those connected in some way to critical infrastructure. I encourage you to take a look at the Framework and take advantage of this opportunity to shape the guidelines which, if you peel back the layers may become more binding than you might think.

WordPress Lloyd Blog

%d bloggers like this: